System for controlling access and distribution of digital property

ABSTRACT

A method and device are provided for controlling access to data. Portions of the data are protected and rules concerning access rights to the data are determined. Access to the protected portions of the data is prevented, other than in a non-useable form; and users are provided access to the data only in accordance with the rules as enforced by a mechanism protected by tamper detection. A method is also provided for distributing data for subsequent controlled use of those data. The method includes protecting portions of the data; preventing access to the protected portions of the data other than in a non-useable form; determining rules concerning access rights to the data; protecting the rules; and providing a package including: the protected portions of the data and the protected rules. A user is provided controlled access to the distributed data only in accordance with the rules as enforced by a mechanism protected by tamper protection. A device is provided for controlling access to data having protected data portions and rules concerning access rights to the data. The device includes means for storing the rules; and means for accessing the protected data portions only in accordance with the rules, whereby user access to the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.

FIELD OF THE INVENTION

[0001] This invention relates to the control of distribution and accessof digital property as well as to the payment therefor.

BACKGROUND OF THE INVENTION

[0002] The development and deployment of digital information networks isaccompanied by new concerns for the protection of rights to data andinformation. The U.S. Congress Office of Technology Assessmentidentified the following key developments relevant to the area of thisinvention: there has been an overall movement to distributed computing;boundaries between types of information are blurring; the number andvariety of service providers has increased. Information Security andPrivacy in Networked Environments, Congress, Office of TechnologyAssessment, OTA-TCT-606, Washington, D.C.: U.S. Government PrintingOffice, September 1994.

[0003] Computer networks allow more interactivity; and, mostsignificantly, electronic information has opened new questions aboutcopyright, ownership, and responsibility for information. Technology,business practice, and law are changing at different rates, law arguablybeing the slowest.

[0004] Intellectual property, or information, is different from realproperty. A major difference between intellectual property and realproperty is that intellectual property can be embodied in forms whichcan be copied from the owner while the owner still retains the original.For example, a broadcast or performance of a musical composition can berecorded (and copies made of the recording) while the composer retainsthe original composition; a photograph can be reproduced while the ownerretains the original negative.

[0005] In the past, when information was stored in analog form, thecopying and redistribution of such information, while problematic, didnot account for as much economic loss as is possible today. The storageof information in analog form uses a physical medium that is made tohave some characteristic vary in proportion with the information to bestored. For instance, the groove on a vinyl record captures thefrequency and intensity (volume) of a sound by the extent of itsexcursion. At each stage in the process of playing a record: the stylustracing the groove, generation of a small voltage, amplification of thevoltage, and reproduction of the sound, small errors are introduced.Today's high fidelity systems are very accurate, but they are notflawless.

[0006] Indeed, copying a vinyl record to a cassette tape results in asmall, but noticeable, reduction in sound quality. If multiplegenerations of recording (e.g., cascaded recordings) were undertaken,the resulting product would be noticeably inferior to the original.Similarly, when multiple generations of photocopies of an image aremade, the quality of the resulting image is typically poor, with manydark and light areas that were not present in the original image.

[0007] It is the inevitable gradual degradation of quality that hasproven to be a practical disincentive to large scale copying of analoginformation. Notwithstanding this observation, where the potentialprofits are high, such copying is undertaken even though the resultingproduct's quality is significantly below that of the original. Videotapecopies of movies represent a good example. Some fraction of themarketplace is willing to accept a lower quality product in exchange fora significantly lower price. The logistics associated with making largenumbers of copies (an inherently serial process), including obtainingthe raw materials (cassettes), the reproduction equipment, and thedistribution channels also have served to limit illicit production.Finally, the quality of the product as well as the markings on thepackage distinguish it from the original and may also serve as adisincentive (for some) to purchase an illicit copy.

[0008] Just as the invention of the printing press changed the way inwhich society interacted with information on paper, the technicaladvances in digital computers and communications in the closing years ofthe twentieth century have a potential for high impact on legal, moral,and business practice. The printing press is often credited as anenabling mechanism for the Renaissance and the Reformation in Europe.The advances in digital information technology will similarly impactcommerce and law. Digital technology enables changing the representationof information without changing the content. (Of course the content canbe changed too.)

[0009] The storage of information in digital form depends on the abilityto encode information in binary form to arbitrary precision and torecord that binary form in a physical medium that can take on twodistinct characteristics. Preserving the fidelity of informationrecorded in binary (using media with two distinct andeasily-differentiated characteristics) is easily accomplished. Forinstance, a compact disc stores information (each binary digit or bit)as the presence or absence of a hole (depression or pit) that reflectsor does not reflect light. Compared to the analog recording ofphonograph records, the information stored in each hole is unambiguouslya binary digit, the value of which is either zero or one. No othervalues are possible. A digital tape stores each bit as a magnetic spotthat is oriented either north/south or south/north. Today's digitalsound systems use sufficiently many bits to capture sound levels beyondthe ability of the human ear to distinguish a difference and in so doingattain so-called “perfect” fidelity.

[0010] A digital file can be copied with no loss of fidelity (as themechanism need only distinguish between two easily-differentiatedstates). With straightforward and well-known error-correctionmechanisms, even inevitable flaws can be made so improbable as to occurfewer than once in ten billion bits.

[0011] As a result of the ability to copy a file with no loss offidelity, it is now almost impossible to differentiate a digital copyfrom the digital original. In a network environment recording materials,reproduction equipment and distribution are not impediments to copying.Consequently, in the digital domain the threshold inhibiting the makingof illicit copies is significantly lowered. Evidence that this is thecase is presented by the Software Publishers Association and by theBusiness Software Alliance, each of which indicates that billions ofdollars of software is pirated (in the sense of being illicitly copied)each year. Additionally, print publishers hesitate to expand into thenetwork marketplace because they are unable to control (in the sense ofreceiving compensation in return for rights) secondary distribution oftheir products as well as incorporation of their products intoderivative products. Digitally stored information may include binarydata, computer software, text, graphics, audio, and video. The uses ofthis information include news, entertainment, education, and analysis.Information may be distributed in many ways, including networks,magnetic media, CD-ROM, semiconductor memory modules, and wirelessbroadcast.

[0012] Copying and distributing large volumes of digital informationover long distances is becoming easier and less costly. Such changes incost and convenience of necessity impact business decisions concerningproducing, distributing, promoting, and marketing. The commercialrelationship among information producers (such as authors, performers,and artists), distributors (such as publishers, promoters, andbroadcasters), and consumers must change in response to the technology.

[0013] The law concerning intellectual property is in ferment. Majorrevisions in the laws regarding the protection of computer programs havebeen suggested. A Manifesto Concerning the Legal Protection of ComputerPrograms, Samuelson, P. R. et al., Columbia Law Review, vol. 94, no. 8,pp. 2308-2431, December 1994. The European Union is working onharmonizing protection of intellectual property rights with respect totechnology and differences in civil and common law countries. Commissionof the European Union, Jul. 19, 1995, Green Paper on Copyright andNeighboring Rights in the Information Society, catalogue numberCB-CO-95-421-EN-C, ISSN 0254-1475, ISBM 92-77-92580-9, Office forOfficial Publications of the European Communities, L-2985 Luxembourg. Inthe United States, the issue of protection of intellectual propertyrights is being addressed in the context of the National InformationInfrastructure. The uncertainty of legal protection over time and fromcountry to country only serves to emphasize the importance of and needfor technical protection of intellectual property rights in informationand data.

[0014] The principal technology which has been used for protectingintellectual property is cryptography. However, devising practicalretail systems for delivery of intellectual property from distributor toconsumer, as distinct from confidential transmission in nationalsecurity and business activities among trusted and cleared personnel,has required innovation.

[0015] Executable software-based cryptography can ensure that data aredistributed only to authorized users. The information to be protected isencrypted and transmitted to the authorized user(s). Separately, adecryption key is provided only to authorized users. The key issubsequently used to enable decryption of the information so that it isavailable to the authorized user(s).

[0016] Other ways of controlling access to portions of data or softwarehave included the use of external devices or tokens (dongles) needed inorder to access the data or selected features of a program. Possessionof the token is made evident to the computer system by physicalattachment of the token to the computer. A token is generally attachedto a printer, game, or network port where executable software can checkon its presence prior to authorizing access. Diskettes have also beenused as dongles; their presence in the diskette drive is checked by theexecuting software. Because they must be actively interrogated, donglesare generally used to limit access to program features and not to limitaccess to information.

[0017] Of those prior art systems which make some use of encryption,none protects the data after it has been decrypted. Thus, secondarydistribution and multiple uses are possible.

[0018] Further, in all of the prior art, access is all or nothing, thatis, once access is granted, it cannot be controlled in any other ways.This makes it difficult to control copying, secondary distribution, aswell as to obtain payment for all uses.

[0019] Originator controlled data dissemination is desirable. Severalpolicies for control of dissemination of paper documents are specifiedin Control of Dissemination of Intelligence Information, Directive No.1/7, Director of Central Intelligence, May 4, 1981. ThisOriginator-Controlled (ORCON) policy has motivated development ofcomputerized access controls. ORCON requires the permission of theoriginator to distribute information beyond the original receiversdesignated by the originator. The Propagated Access Control (PAC) policyand the related Propagated Access Control List (PACL) were proposed asone way of implementing ORCON. “On the Need for a Third Form of AccessControl,” Graubart, R., Proceedings of the 12th National ComputerSecurity Conference, pp. 296-303, 1989. Whenever an authorized subjectreads an object with an associated PACL, that PACL becomes associatedwith the subject. Any new object created by the subject inherits thePACL. PACLs are associated with both subjects and objects.

[0020] Owner-Retained Access Control (ORAC) (described in “Beyond thePale of MAC and DAC: Defining New Forms of Access Control,” McCollum, C.J., et al. Proceedings of the Symposium on Research in Security andPrivacy, IEEE Computer Society Press, 1990) is similar to PAC inpropagating ACLs with non-discretionary enforcement. ORAC goes further,retaining the autonomy of all originators associated with a given objectin making access decisions, while basing mediation of requests on theintersection of the access rights that have been granted. ORAC ismotivated to implement several of the DCID 1/7 policies in addition toORCON, namely NO_CONTRACTOR, NO_FOREIGN, and RELEASABLE_TO.

[0021] Originator-Controlled Access Control (ORGCON) (described in“Generalized Framework for Access Control: Towards Prototyping theORGCON Policy,” Abrams, M. D., et al. Proceedings of the 14th NationalComputer Security Conference, October 1991) is a strong form ofidentity-based access control—it explicitly defines authority anddelegation of authority, provides for accountability, and has anexplicit inheritance policy. In ORGCON, the distribution list isindelibly attached to the object (i.e., the distribution list cannot bedisassociated from the object, even in the limited cases where copyingis permitted). ORGCON is a read, no-copy policy. Its formal model(taught in “A Rule-Set Approach to Formal Modeling of a Trusted ComputerSystem,” LaPadula, L. J., Computing Systems Journal, Vol. 7, No. 1, pp.113-167, Winter 1994) distinguishes among device types in order to dealwith the policy that no storage copy of an object is permitted.Information may be copied only to the display and printer, but not toany other device types.

[0022] The Typed Access Matrix (TAM) Model (described in “The TypedAccess Matrix Model,” Sandhu, R. S., Proceedings of the Symposium onResearch in Security and Privacy, IEEE Computer Society, pp. 122-136,1992; and “Implementation Considerations for the Typed Access MatrixModel in a Distributed Environment,” Sandhu, R. S., and G. S. Suri,1992, Proceedings of the 15th National Computer Security Conference, pp.221-235) incorporates strong typing into the access matrix model toprovide a flexible model that can express a rich variety of securitypolicies while addressing propagation of access rights and the safetyproblem. The safety problem is closely related to the fundamental flawin Discretionary Access Control (DAC) that malicious code can modify theprotection state. Types and rights are specified as part of the systemdefinition; they are not predetermined in TAM.

[0023] The prior art, including cryptographic processes, tokens,dongles, so-called “uncopyable” media, various executable softwareprotection schemes, and executable software for printing that places anidentifier on all printed output in a fashion not apparent to a human,fails to limit either secondary distribution or distribution ofderivative works.

[0024] This shortcoming is not a failure of mechanism, but rather it isan architectural design omission. The problem of copying by theauthorized user is simply not addressed. In each case, once the data areavailable to an authorized user, they are basically unprotected and maybe copied, modified, or transmitted at will. Schemes that includeidentifiers on printed material, although they may aid in identifyingthe source of copied material, do not prevent secondary distribution.

[0025] Executable software-based cryptography can ensure that data aredistributed only to authorized users. However, once data are receivedthey may be freely manipulated and redistributed.

[0026] The information to be protected is encrypted and transmitted tothe authorized user(s). In some systems the encrypted information ismade freely available. Separately, a decryption key is provided only toauthorized users. The key is subsequently used to enable decryption ofthe information so that it is available to the authorized user(s). It isat this point that the information is subject to manipulation andredistribution without further limitation.

[0027] As mentioned above, a dongle or token can be used to authorizeaccess to executable software. However, once access has been granted toinformation that information is subject to manipulation andredistribution without further limitation. Further, dongles haveproven,to be unpopular because of the need to keep track of them andensure that they are separately secured.

[0028] Uncopyable media, generally used either to control distributionof information or to control usage of executable software, are unpopularbecause of the user's inability to create a backup copy. Further, mostso-called uncopyable disks have fallen victim to general-purposeduplication programs, rendering their protection useless. Sometimes, asin early releases of Lotus 1-2-3, an uncopyable disk was provided withthe executable software release and had to be inserted in a floppy-diskdrive for the executable software to function (operating as a diskdongle). Users soon learned how to by-pass the executable software sothat the disk need not be present. Even where partially effective, theuncopyable disk did not serve as a deterrent to capturing informationand redistributing it.

[0029] The degree of protection of data is typically made by the dataowners and/or distributors based on their security analysis. It iscommon to perform security analysis in terms of risks, threats,vulnerabilities, and countermeasures. An owner's estimate of theprobability that a particular threat will materialize is crucial toselecting appropriate rules to protect property rights.

[0030] Threat can be characterized as the intensity of attack on thedata, which can be described as low, medium, and high. Low For asecurity function to be rated as “suitable for use in a low threatenvironment,” it shall be shown that the security function providesprotection against unintended or casual breach of security by attackerspossessing a low level of expertise, opportunities, resources andmotivation. However, such a security function may be capable of beingdefeated by a knowledgeable attacker. Medium For a security function tobe rated as “suitable for use in a medium threat environment,” it shallbe shown that the security function provides protection againstattackers possessing a moderate level of expertise, opportunities,resources and motivation. High For a security function to be rated as“suitable for use in a high threat environment,” it shall be shown thatthe security function provides protection against attackers possessing ahigh level of expertise, opportunity, resources and motivation. Asuccessful attack is judged as being beyond normal practicality.

[0031] The following list covers some common anticipated threats to dataand processing systems.

[0032] Threat: Capture of Output Signal

[0033] No matter what method is used to protect a data file, the datastored therein can be captured as a signal en route to an output device.Capture of an analog output results in some degradation of signalquality. But the market for bootleg copies of videos, for example,appears to be insensitive to such quality if the price is right. Acaptured digital signal suffers degradation of quality only as a resultof bit errors (i.e., if the data capture was not completely accurate).

[0034] This threat is well known to the entertainment industry. Variousapproaches to protection have been incorporated in set-top boxesdiscussed in “Inside the Set-Top Box,” Ciciora, W. S., IEEE Spectrum,pp. 70-75, April 1995.

[0035] Threat: Digital Copying

[0036] Once data have been decrypted, the resulting cleartext must beprotected from unauthorized copying. Creating an unauthorized localcopy, or disseminating the data without authorization each results in anoriginal-quality copy without compensation to the owner.

[0037] Threat: Deliberate Attack via Legacy (pre-existing) andCustomized Hardware

[0038] High-intensity attack by attackers possessing a high level ofexpertise, opportunity, resources and motivation must be considered.Attackers in this category might include foreign governments andindustrial espionage agents, teenage crackers, and resellers of piratedintellectual property. One manifestation of this threat is inuncontrolled hardware. The nominally protected information would beavailable in the memory and could be accessed via dual-ported memory oreven by DMA (direct memory access) from a peripheral.

[0039] A strong indication of the usefulness and desirability of thepresent invention can be found in the legislation pending before theU.S. Congress to make illegal the by-passing or avoiding of copyrightprotection schemes. See S.1284, 104th Congress, 1st sess. (1995).

[0040] It is desirable to have a system of distributing data(intellectual property) that prevents copying, restricts re-distributionof the data and provides controlled access to the data.

SUMMARY OF THE INVENTION

[0041] This invention controls access to and use and distribution ofdata.

[0042] For example, when the data are in the form of textual andgraphical information, this invention can control how much of theinformation is displayed and in what form; or, when the data representsa computer software program, this invention can control how much of thesoftware's functionality is available. Classified data are similarlycontrolled.

[0043] In addition, this invention controls secondary distribution andcreation of derivative works. Prior art systems rely on software forsecurity. Without the tamper detection/reset mechanism of thisinvention, software can be modified or data can be intercepted renderinguseless any attempts at control.

[0044] Degrees of protection utilized in the computer system hardware(for example, tamperproof and tamper-detect features) and thecryptographic tools will depend on the nature of the data to beprotected as well as the user environment.

[0045] In one preferred embodiment, this invention is a method ofcontrolling access to data by protecting portions of the data;determining rules concerning access rights to the data; preventingaccess to the protected portions of the data other than in a non-useableform; and permitting a user access to the data only in accordance withthe rules as enforced by a tamper detecting mechanism.

[0046] In another preferred embodiment, this invention is a device forcontrolling access to digital data, the digital data comprisingprotected data portions and rules concerning access rights to thedigital data. The device includes storage means for storing the rules;and means for accessing the protected data portions only in accordancewith the rules, whereby user access to the protected data portions ispermitted only if the rules indicate that the user is allowed to accessthe portions of the data.

[0047] In another aspect, this invention is a method of distributingdigital data for subsequent controlled use of the data by a user. Themethod includes protecting portions of the digital data; preventingaccess to the protected portions of the data other than in a non-useableform; determining rules concerning access rights to the data; protectingthe rules; and providing the protected portions of the digital data andthe protected rules. The user is provided controlled access to the dataonly in accordance with the rules as enforced by a tamper detectingaccess mechanism.

[0048] In another aspect, this invention is a storage device, readableby a machine, tangibly embodying a package of digital data comprisingprotected portions of digital data; and rules concerning access rightsto the digital data, whereby a user is provided controlled access to thedigital data only in accordance with the rules as enforced by a tamperdetecting access mechanism.

[0049] The data represent computer software, text, graphics, audio, andvideo, alone or in combinations.

[0050] The protecting is done by encrypting the portions of the data,and access is prevented to the encrypted portions of the data other thanin encrypted form.

[0051] In some embodiments the rules are provided with the data, whereasin others the rules are provided separately. The rules can specifyvarious access rights and controls, including rights of furtherdistribution of the data.

[0052] In preferred embodiments, data are destroyed when tampering isdetected.

[0053] The device containing the mechanism of the present invention canbe a stand-alone device such as a facsimile machine, a television, aVCR, a laser z,999 a telephone, a laser disk player, a computer sysz,999 ke.

[0054] As no Z,999 rules, policies and protections of data are typicallymade by the data owners and/or distributors based on their securityanalysis of various threats. The various threats listed above are dealtwith by countermeasures in the present invention.

[0055] Threat: Capture of Output Signal

[0056] Countermeasure: Encrypt or Scramble Output Signal

[0057] Protection of the output signal is accomplished with encryptionof a digital signal (as is done in the present invention) and scramblingof an analog signal. This solution requires installing decryption orunscrambling capability in the output device, TV or monitor, along withappropriate tamper-detection capability. Encryption or scrambling mightbe effected using a public key associated with the output device(although, to prevent so-called “spoofing,” obtained from acertification authority and not from the output device). Alternatively,the output might be encrypted or scrambled using a private key onlyavailable to the designated output device (again ensured via somecertification mechanism). The output signal is decrypted or unscrambledby the output device using its private key and is not available inplaintext form outside of the device's protected enclosure.

[0058] Countermeasure: Protect Output Signal by Packaging

[0059] The output signal is protected by making it unavailable outsidethe access mechanism. A sealed-unit computer with tamper detectionprovides the necessary protection. Examples of the acceptability of sz,999 ckaging include lap-top computers and the origina z,999 ntoshcomputer, as well as integrated televisions, VCRs and video or audiolaser disk players.

[0060] Threat: Digital Copying

[0061] Countermeasure: Secure Coprocessor

[0062] Selection of a secure coprocessor is indicated to implementprotection against unauthorized use when an operating system (OS) isdetermined to be untrustworthy—that is, when the OS cannot provideadequate resistance to the anticipated threat. When the OS isuntrustworthy, any measures implemented in the OS, or protected by it,can be circumvented through the OS or by-passing it.

[0063] Countermeasure: Detection of Unsealing

[0064] The protection provided by a coprocessor could be circumvented bytampering. The coprocessor is protected by tamper detection that causesthe rules, cryptographic data, and decrypted protected data to bedestroyed. Both passive and active means are used to effect suchdestruction. Semiconductor memory is volatile and does not retain datawhen power is removed. A long-life battery provides energy sufficient toallow rewriting (zeroizing) nonvolatile memory containing, for example,the private key. Without the private key the system will be unable todecrypt any protected data and it must be returned to an authorizedservice facility for installation of a new private key.

[0065] Threat: Deliberate Attack via Legacy and Customized Hardware

[0066] Countermeasure: Keep the Information on the Coprocessor Board

[0067] Access may be controlled if the information leaves thecoprocessor board only for output purposes. Deciphered information isretained in memory on the coprocessor board, not in main memory. Programexecution occurs in the coprocessor on the board (e.g, operating in thesame manner as did so-called “accelerator” coprocessors that allowed auser to install an 80286 processor in an 80186 system, allowing the userto shift all functions to or from the faster coprocessor using asoftware command). Where information must leave the coprocessor board,e.g., to be sent to an output device, it may, depending on theassociated rules, be encrypted. To receive and process encrypted data,the output device must have an access mechanism as well as public andprivate keys and tamper detect capability. Because some outputperipheral devices do not have the capability of retransmission, thedevice may be a subset of the full access mechanism associated with aprocessor or computer system.

BRIEF DESCRIPTION OF THE DRAWINGS

[0068] The above and other objects and advantages of the invention willbe apparent upon consideration of the following detailed description,taken in conjunction with the accompanying drawings, in which thereference characters refer to like parts throughout and in which:

[0069]FIG. 1 is a schematic block diagram of an embodiment of a digitaldata access and distribution system according to the present invention;

[0070]FIGS. 2 and 3 show logical data structures used by the systemdepicted in FIG. 1;

[0071]FIG. 4 is a flow chart of the authoring mechanism of theembodiment of the present invention depicted in FIG. 1;

[0072]FIG. 5 is a schematic block diagram of another embodiment of adigital data access and distribution system according to the presentinvention;

[0073]FIG. 6 is a logical data structure used by the embodiment depictedin FIG. 5;

[0074]FIG. 7 is a flow chart of the authoring mechanism of theembodiment of the present invention depicted in FIG. 5;

[0075]FIGS. 8 and 9 show schematic block diagrams of embodiments of theaccess mechanism according to the present invention;

[0076] FIGS. 10(a)-13 are flow charts of the data access using theaccess mechanisms shown in FIGS. 8, 9 and 15;

[0077]FIG. 14 shows an embodiment of the invention which uses anexternal user status determination mechanism;

[0078]FIG. 15 is a schematic block diagram of an embodiment of adistribution system for derivative works according to the presentinvention;

[0079]FIG. 16 is a flow chart of data access using the access mechanismshown in FIG. 15;

[0080] FIGS. 17(a) and 17(b) show packetized data according to thelogical data structures shown in FIGS. 2 and 6;

[0081] FIGS. 18(a)-23(b) show various examples of data and theirpackaging according to the present invention; and

[0082]FIG. 24 shows various implementation levels of a typical computersystem employing an access mechanism according to the present invention.

DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EXEMPLARY EMBODIMENTS

[0083] A schematic block diagram of a presently preferred exemplaryembodiment of a digital data access and distribution system 100according to the present invention is depicted in FIG. 1. System 100includes two main components: a data distributor 102 and a user 104. Thedata distributor 102 takes data 106 and produces packaged data 108 whichare provided to the user 104 via communication channel 105, perhaps inreturn for some form of payment 110.

[0084] Corresponding to each of the distributor 102 and the user 104 arethe system's authoring mechanism 112 and access mechanism 114,respectively. The authoring mechanism 112 of the distributor 102 takesthe data 106 to be packaged and produces packaged data 108 which isprovided to user 104 by a distribution mechanism 118. The packaged data108 may include access rules 116 in encrypted form encoded therewith, orthe access rules 116 may be provided to the user 104 separately (asshown in the embodiment of FIG. 5).

[0085] The access mechanism 114 of the user 104 takes the packaged data108, either including an encrypted version of the access rules 116 orhaving the access rules provided separately, and enables the user toaccess the data in various controlled ways, depending on the accessrules.

[0086] Data 106 provided to or generated by the distributor 102 can beany combination of binary data representing, for example, computersoftware, text, graphics, audio, video and the like, alone or incombinations. As described below (with respect to the embodiment shownin FIG. 15), in some embodiments data 106 can also include otherpackaged data produced by an authoring mechanism according to thisinvention.

[0087] The difference between the embodiments of the distributors 102and 190, shown in FIGS. 1 and 15, respectively, is that the distributor102 (FIG. 1) does not include an access mechanism 114. Accordingly,distributor 102 deals only with newly created data (that is, withnon-derivative data). The embodiment shown in FIG. 15 (discussed below)includes the functionality of the embodiment shown in FIG. 1, and canalso deal with input of protected data (previously packaged by adistributor). The embodiment of distributor 102 shown in FIG. 1 can beimplemented purely in software (depending on the trust level of theemployees of the publisher), whereas the embodiment of distributor 190shown in FIG. 15 requires some hardware implementation.

[0088] Data 106 can also be provided to the distributor in non-digitalform and converted to digital form by the distributor in a known andsuitable fashion. The content of the data 106 can include, for example,news, entertainment, education, analysis and the like, alone or incombinations.

[0089] Note, as used herein, computer software refers to any softwareprogram used to control any computer processor. This includes, but is inno way limited to, processors in stand-alone computers; processors invideo and audio devices such as televisions, video recorders and thelike; processors in output devices such as printers, displays, facsimilemachines and the like; and processors in appliances, automobiles,telephones and the like.

[0090] The data 106 are typically intellectual property subject tocontrol. In some cases, distributor 102 may receive some form of payment110 from the user 104 for accessing the data. This payment, or some partthereof, may then be provided directly to the actual owner (not shown)of the data 106. Further, the payment or part thereof may be madebefore, during or after use of the data.

[0091] As noted above, the packaged data 108 may include an encryptedversion of the access rules 116, or these rules may be provided to theuser separately. The logical data structure for the packaged data 108 isshown in FIG. 2 and includes an encrypted body part 120, an unencryptedbody part 122, encrypted rules 124 (if provided with the packaged data),and encrypted ancillary information 126. Encrypted rules 124 are anencrypted version of access rules 116.

[0092] The actual format and layout of the data is dependent on the typeof data, their intended use, the manner in which they are to be accessedand the granularity of control to be exercised on the data. Anencyclopedia, for example, would likely be organized differently from amovie or a musical selection. Since the data can be any combination ofbinary data, different parts of the packaged data 108 may be structureddifferently, as appropriate. Accordingly, encrypted body part 120 ispotentially made up of encrypted body elements, and similarly,unencrypted body part 122 is potentially made up of unencrypted bodyelements.

[0093] It is, however, envisaged that in presently preferred embodimentsthe data will be structured such that some data parts or elements haveheader information which enables the data to be traversed or navigatedaccording to whatever rules are to be applied and in a mannerappropriate for those data.

[0094] An example of the structure of rules 116 is shown in FIG. 3,wherein the rules include various forms of validity checking andidentification information such as version number 127, authenticationdata 128, license number 130, intellectual property identifier 132,first and last valid generations of the product 134, 136. The rules 116further include an encrypted data key 138 as well as the actual rules140, 142, 144-146 to be applied when access is made to the data by auser. The actual rules include, but are not limited to, standard,extended and custom permissions 140, 142, 144-146, and co-requisiterules (permission lists) of source data 145.

[0095] The function of each field in the rules shown in FIG. 3 is givenin TABLE I, below. TABLE I Field Function Version number 127 Definesinternal configuration template Authentication (hash) 128 Validatesintegrity of this data file. License number of these Used by publisherto rules 130. identify owner. Intellectual property Identifies theidentifier 132. intellectual property product. First valid generation ofDefines extent of the product 134. validity of the license. Last validgeneration of Defines extent of the product 136. validity of thelicense. Encrypted data key 138. Key to access the data. Standardpermissions 140. List of basic access permissions for data. Extendedpermissions 142. List of extended access permissions for data. Custompermissions 144. Executable code modules. Co-requisite rules Indicateswhich source (permissions) for source data rules are needed. data 145.Token/biometrics 146 Indicates the physical tokens and/or biometriccharacteristics (if any) required for identification of each authorizeduser. System IDs/Public keys Other systems to which 147 these rules maybe redistributed.

[0096] A complete introduction and references to further readingconcerning cryptography and cryptographic techniques and mechanisms arefound in Abrams, M. D. and Podell, H. J., “Cryptography,” Security-AnIntegrated Collection of Essays, Abrams, M. D. et al, eds. IEEE ComputerSociety Press, 1995, which is hereby incorporated herein by reference.

[0097] The Authoring Mechanism

[0098] As shown in FIG. 1, the authoring mechanism 112 of thedistributor 102 takes data 106 and produces packaged data 108 fordistribution. The process of producing the packaged data which includesrules 116 is described with reference to FIGS. 1-4.

[0099] The authoring mechanism 112 incorporates existing source data 106into a packaged format for dissemination. As noted above, data 106 caninclude but are not limited to combinations of computer software, text,graphics, audio, video and the like. The data 106 may be provided to theauthoring mechanism 112 in various proprietary data formats used invendor software packages as well as having lower level formats forgraphics, tables, charts, spreadsheets, text, still and motion pictures,audio and the like.

[0100] Using the authoring mechanism 112, those elements of the data 106that are to be encrypted are selected, as are the cryptographicalgorithms and protocols to be employed, the payment procedures for theuse of the data, and other decisions governing how the user 104 will bepermitted to use the data. These decisions are used in constructing thepermission lists to be included in the rules 116. Different classes ofusers can be defined, based, for example, on age, fee paid,qualifications and the like.

[0101] The presently preferred embodiment employs asymmetric encryptionalgorithms in the authoring and access mechanisms. The keys for thesealgorithms are protected within the system and are never exposed. Thedata-encrypting key, K_(D), is the same for all copies of the data.K_(D) is selected by the distributor 102 and may be different for eachproduct (i.e., for each packaged data 108). The symmetric encryptionalgorithm used for encrypting the data is associated with K_(D) and mayalso be selected by the distributor. K_(D) is encrypted using arule-encrypting key K_(R). When the rules are distributed with theproduct (packaged data 108), K_(R) is the same for all products and allembodiments of the system. When the rules are distributed separatelyfrom the product, K_(R) can be unique for each version of the system.The rule-encrypting key K_(R) is known only to (and protected within)each receiving computer of each user.

[0102] With reference to FIG. 4 which shows a flow chart of a version ofthe authoring mechanism of the present invention in which the rules aredistributed with the packaged data 108, the distributor 102 (acting as arepresentative of the owner of the data 106) selects a data-encryptingalgorithm (DEA) (step S400) and data-encrypting key K_(D) (step S402),and encrypts the data-encrypting key K_(D) using K_(R) (step S404). Theencrypted data-encrypting key K_(D) is then stored in the encryptedancillary information 126 of the packaged data 108 (in step S406).

[0103] The algorithm selection (in step S400) is based on an assessmentof risk, the degree of protection desired as well as other factors suchas speed, reliability, exportability and the like. As used herein, riskrefers to the expected loss due to, or impact of, anticipated threats inlight of system vulnerabilities and strength or determination ofrelevant threat agents. Alternatively, risk can refer to the probabilitythat a particular threat will exploit a particular vulnerability of thesystem. An analysis of risk, threats and vulnerability is providedbelow. Examples of possible data-encryption algorithms include, but arenot limited to, DES, RSA, PGP and SKIPJACK. The system may use apreferred encryption algorithm and may also provide a mechanism forusing algorithms provided with the data 106 by the owner of the data.

[0104] The data-encrypting key K_(D) may be generated in a typicalmanner, suitable for the selected data-encrypting algorithm. For datahaving lower value to its owner, or having lower risk of loss, alldistributors may rely on a single data-encrypting key (or perhaps z,999umber of data-encrypting keys). Another encryption z,999 uses a uniquedata-encrypting key for each z,999 data to be distributed.

[0105] Having selected a date z,999 ing algorithm and key, K_(D)(S400-S402) and having e z,999 d and stored the key (S404-S406), thedistributor 102 proceeds to process the various elements of the data106. The data are processed at a granularity dependent on the type ofrestrictions needed on their use and on the form of the data themselves,that is, the form in which the data have been provided. The distributorobtains (step S407) and examines each part or element of the data (atthe desired granularity) and determines whether or not 1S the elementbeing processed (the current element being examined) is in the body ofthe data (step S408) (as opposed to being rules or ancillaryinformation). If the current element being examined is determined to bein the body of the data, the distributor then decides whether or not thecurrent data element is to be protected (step S410), that is, whether ornot access to that element of the data is to be controlled and the dataelement is to be encrypted.

[0106] If the current data element is not to be protected, it is stored(step S412) in the unencrypted body part 122 of the packaged data 108.Otherwise, if the current data element is to be protected, it isencrypted using the data-encrypting key K_(D) (step S414) and then theencrypted current data element is stored in the encrypted body part 120of the packaged data 108 (step S416), after which the next element isprocessed (starting at step S407).

[0107] For example, if the data 106 are a textual article, the abstractof the article might not be protected (encrypted) while the rest of thearticle would be.

[0108] If the current data element is determined not to be in the bodyof the data (step S408), the distributor then determines if the currentdata element is access rules provided by the data owner (step S418). Ifso, the rules are protected by encrypting them using the rule-encryptingkey K_(R) (step S420) and the encrypted rules are then stored in theencrypted rules part 124 of the packaged data 108 (step S422).

[0109] If the current data element (being processed) is not accessrules, the distributor determines whether or not it is ancillaryinformation (step S424). This information includes such things as theidentification of the publisher and the like. If the current dataelement is determined to be ancillary information, the ancillaryinformation is protected by encrypting it using the data-encrypting keyK_(D) (step S426) and then the encrypted ancillary information is storedin the encrypted ancillary information part 126 of the packaged data 108(step S428).

[0110] If the data are rules or ancillary information to be encrypted,then, after appropriate processing, the next data element is processed(step S407).

[0111] If the current data element is not a body part, access rules orancillary information, some form of error is assumed to have occurredand is processed (step S430). After the error has been processed, themechanism can continue processing the next data element (step S407) orterminate, depending on the implementation.

[0112] The operation of the system 101 shown in FIG. 5 differs fromsystem 100 of FIG. 1 in that the rules 116 are distributed to users 104separately from the packaged data 108. This is achieved with anauthoring mechanism 148 which takes as input data 106 and rules 116 andproduces, separately, packaged data 150 and packaged rules 152. Thepackaged data 150 without the rules has the form shown in FIG. 6, whichis essentially the same as the structure shown in FIG. 2, but withoutthe encrypted rules 124.

[0113] Note that an hybrid system, wherein some rules are packaged withthe data and other rules are packaged separately is foreseen, using acombination of the mechanisms shown in FIGS. 1 and 5. In such a system,an operator selects which mode of operation to employ.

[0114]FIG. 7 shows a flow chart of a version of the authoring mechanism148 of the present invention in which the rules 116 are distributed bydistributor 102 separately from the packaged data 150. Rules 116 anddata 106 can be presented to the authoring mechanism 148 in any order,or in an interleaved fashion. In fact, the rules 116 need not all beprovided together. The distributor 102 first selects a data-encryptingalgorithm and a data encrypting key, K_(D) (step S700). Then theauthoring mechanism 148 processes the data element-by-element (startingat step S702). As in the case of the mechanism shown in FIG. 4, a dataelement is assumed to be one of either a body part, ancillaryinformation or access rules.

[0115] First it is determined whether or not the current data element isa body part (step S716). If it is determined (in step S716) that thecurrent data element is a body element, then it must be determined (instep S718) whether or not the data are to be protected. As in the casewhen the rules are distributed with the packaged data 108, the decisionas to whether or not to protect a specific data element depends on theowner of the data and the distribution policies as implemented in therules.

[0116] If the data are to be protected (step S718), the data in thecurrent data element are encrypted using data-encrypting key K_(D) (stepS720) and then the encrypted data are stored in the packaged data 150 inthe encrypted body part section 120 (step S722). On the other hand, ifthe data in the current data element are not to be protected, the dataare stored in the unencrypted body part section 122 of the packaged data150 (in step S724). In either case, after the data element is stored(steps S722 or S724), the next data element is processed (starting atstep S702).

[0117] If the current data element is determined not to be a bodyelement (step S716), then the mechanism checks to determine whether ornot the current data element is ancillary information (step S726). Ifthe current data element is determined to be ancillary information, itis protected by encrypting it using data-encrypting key K_(D) (stepS728) and then the encrypted current data element is stored in thepackaged data 150 in the encrypted ancillary information section 126 (instep S730). Then the next data element is processed, starting at stepS702.

[0118] If the current data element is neither a body element (step S716)nor ancillary information (step S726), then the it is determined whetheror not the current data element is access rules (step S732). If so, therules are to be distributed separately from the packaged data 150, andare processed accordingly as follows:

[0119] If this is the first time the access mechanism is processingrules for this data set then a rule-encrypting key K_(R) must bedetermined. Accordingly, it is determined whether these are the firstrules being processed for this data set (step S734). If so, obtain andvalidate the serial number, SN, of the system (steps S736 and S738).Then calculate the rule-encrypting key K_(R) as a function of thevalidated serial number (K_(R)=f(SN), for some appropriate function f(step S740). Function f may, for example, be an inquiry to acertification database or certification authority to obtain the publickey so as to ensure that the serial number is authentic. Havingdetermined the rule-encrypting key (step S740), encrypt the data keyK_(D) with the calculated rule-encrypting key K_(R) (step S742) andstore the keys (step S744). Next, encrypt the rules using therule-encrypting key K_(R) (step S746). The encrypted rules and theencrypted data key K_(D) are stored as packaged rules 152 for subsequentdistribution. The rule-encrypting key K_(R) may be stored orrecalculated from the serial number whenever needed.

[0120] If it is determined (in step S734) that the this is not the firstrules being processed for this data set, then the rule-encrypting keyK_(R) has already been calculated (step S740) and stored (step S744). Inthat case, the rules in the current data element are encrypted using therule-encrypting key K_(R) (step S742). once the rules in the currentdata element are processed, processing continues with the next dataelement (step S702).

[0121] If the authoring mechanism 148 determines that the current dataelement is not a body part (step S716), ancillary information (stepS726) or rules (step S732), then some form of error has occurred and isprocessed (step S748). After an error has occurred, the mechanism 148can either cease processing (step S750) or, in some embodiments,continue processing further data elements (step S702).

[0122] The data 106 provided to the distributor 102 and the packageddata 108 (or 150 and packaged rules 152, if provided separately)provided to the user 104, may be provided and distributed in variousways, including but not limited to, via digital communications networks(for example, the Internet or the projected National InformationInfrastructure (NII)), magnetic media (for example, tape or disk),CD-ROM, semiconductor memory modules (for example, flash memory, PCMCIARAM cards), and wireless (for example, broadcast). The packaged data 108may be provided to a user as a single packaged entity or as a continuousstream of data. For example, a user may obtain a CD-ROM having a moviestored as packaged data thereon or the user may obtain the movie as acontinuous stream of broadcast data for one-time viewing.

[0123] Information (such as the packaged data 108 from the distributor102 to the user 104) can be transmitted openly, that is, usingmechanisms and media that are subject to access and copying. In otherwords, communication channel 105 may be insecure.

[0124] The Access Mechanism

[0125] The access mechanism 114 allows a user 104 to access the data inpackaged data 108 (or 150) according to the rules provided with (orseparately from, as packaged rules 152) the packaged data and preventsthe user or anyone else from accessing the data other than as allowed bythe rules. However, having granted a user controlled access to data(according to the rules), it is necessary to prevent the user or othersfrom gaining unauthorized access to the data. It is further necessary toprevent the data from being further distributors without authorization.

[0126] The access mecn z,999 114 used by the user 104 to access data isdescribed z,999 reference to FIG. 8 and includes a processing unit 154,z,999 read-only memory (ROM) 156, volatile memory (RAM) 158, I/Ocontroller 165 and some form of energy source 166 such as, for example,a battery. Access mechanism 114 may also include electrically-alterablenon-volatile memory 160, a hard disk 162, a display 164, and specialpurpose components such as encryption hardware 168.

[0127] The access mechanism 114 is also connected via insecure channels174 and 176 and I/O controller 165 to various controlled display oroutput devices such as is controlled printer 178 and controlled displaymonitor 180. (Interaction with these controlled devices is described indetail below.)

[0128] Various other devices or mechanisms can be connected to I/Ocontroller 165, for example, display 155, printer 157, networkconnection device 159, floppy disk 161 and modem 163. These devices willonly receive plaintext from the I/O controller 165, and then only suchas is allowed by the rules. The network connection device 159 canreceive either plaintext or encrypted text for further distribution.

[0129] All components of the access mechanism 114 are packaged in such away as to exclude any unknown access by a user and to discover any suchattempt at user access to the components or their contents. That is, theaccess mechanism 114 is packaged in a tamper-detectable manner, and,once tampering is detected, the access mechanism is disabled. The line167 depicted in FIG. 8 defines a so-called security boundary for thecomponents of the access mechanism 114. Any components required fortamper detection (tamper detect mechanism 169) are also included as partof the access mechanism 114. Tamper detect mechanism 169 is connected insome appropriate manner to processing unit 154, energy source 166, andnon-volatile memory 160.

[0130] This invention employs a combination of physical self-protectionmeasures coupled with means for detecting that the self-protection hasbeen circumvented or that an attempt to circumvent the self-protectionmeasures is being or has been made. When such intrusion is detected,passive or active mechanisms can be employed to destroy data. Forexample, the following can occur (not necessarily in the order stated,and usually in parallel): the access mechanism 114 is made inoperative,all cryptographic keys within the mechanism, the private key and anyother keys and data are destroyed (zeroized), and power may be appliedto clear non-volatile memory 160 and then is removed, resulting in lossof all data stored in volatile memory 158 so as to deny access todecryption keys as well as to any cleartext in those memories. As notedabove, several operations can be accommodated or performedsimultaneously when tampering is detected. This can be done by hardwarecircuits. Based on risk assessment and the availability of particulartechnology, other implementations may be selected.

[0131] Tamper detection allows the access mechanism 114 to ensure thatall internal data (both the system's data and any user data) aredestroyed before any tamperer can obtain them.

[0132] One way to deny access to the data within access mechanism 114 isto package all of the components within a physical case which definesthe area which is excluded from user access. As an example, a typicalportable lap-top computer meets the requirement of having all componentswithin the same physical package or case. Detection that the case hasbeen opened is straightforward and well known.

[0133] As an alternative embodiment of the access mechanism 114, thecomponents of the access mechanism 114 can be used as a co-processor ofanother processor or computer. In this case, as shown in FIG. 9, theaccess mechanism 114 communicates with the other computer 170 via acommunications channel 172. The co-processor can be implemented as acircuit board and is designed to be plugged into the bus 172 on the mainboard (that is, the mother board or planar board) of the other computer170. In that case, the computer 170 will operate normally unless itneeds to access controlled data, at which time it will pass control tothe access mechanism 114.

[0134] The degrees of protection used in the access mechanism (forexample, tamper-detect features) and the cryptographic tools employedwill depend on the nature of the data to be protected as well as theuser environment.

[0135] Several techniques for physically secure coprocessor packagingare described by Yee (Yee, B., Using Secure Coprocessors, CarnegieMellon University, School of Computer Science, CMU-CS-94-149, 1994 (alsoavailable Defense Technical Information Center as AD-A281 255)). In Yee,physical protection is described as a tamper-detecting enclosure. Theonly authorized way through the enclosure is through acoprocessor-controlled interface. Attempts to violate physicalprotection in order to gain access to the components of the coprocessormodule will be detected and appropriate action taken. For example,detection of attack results in erasure of non-volatile memory beforeattackers can penetrate far enough to disable the sensors or read memorycontents.

[0136] Any known form of tamper protection and detection can be used, aslong as it functions to destroy the data as required.

[0137] Any data which are to be sent out of the security boundary 167are under the control of the access mechanism 114. All I/O requests andinterrupts are handled by the access mechanism 114.

[0138] All communication between the components of the access mechanism114 and the enclosed hard disk 162 is encrypted. Therefore, if the harddisk is removed from the mechanism, any data stored thereon will beinaccessible without the appropriate keys. The encryption of the datastored on the hard disk can use cryptographic keys generated within theaccess mechanism and which are never known outside of the mechanism. Inthis way, when tampering is detected, the cryptographic keys will belost.

[0139] In general, within the system, the data are encrypted on anynon-volatile storage devices so that they remain unavailable in the caseof tampering. Unencrypted data are only present within the accessmechanism 114 inside the security boundary 167 in components wherethe-data can be destroyed when tampering with the access mechanism 114is detected.

[0140] With reference to FIGS. 8 and 9, the access mechanism 114 is alsoconnected via insecure channels 174 and 176 and bus 177 to variouscontrolled or uncontrolled display or output devices such as describedabove. This allows the system to communicate with uncontrolled devices(so-called standard devices) as well as networks, within the context ofthe rules/permission list. (Interaction with these controlled devices isdescribed in detail below.) All communications on the insecure channels174 and 176 and on bus 177 is encrypted by the access mechanism 114 (andby the authoring mechanism 112), and the controlled output devices 178and 180 must have suitable processing capabilities within them(including an access mechanism 114) to decrypt and process data whichthey receive. The display or output devices used will depend on theapplication and the type of data, and include, but are not limited to,printers, video display monitors, audio output devices, and the like.

[0141] The embodiment shown in FIG. 9 can also include other standarddevices (connected to bus 177) such as, for example, standard printer181, floppy disk 185, modem 187 and the like.

[0142] The Accessing Operation

[0143] When a user 104 obtains packaged data 108 (or 150) from adistributor 102, the user can then access the data according to therules provided therewith or provided separately. Data access issupported by the access mechanism 114 and is described with reference toFIGS. 8, 9 and 10(a), where FIG. 10(a) is a flow chart of the dataaccess using the access mechanisms shown in FIGS. 8 and 9.

[0144] Note initially that, depending on the type of data to be accessedand viewed, as well as the rules, the viewing process may or may not beinteractive. For example, if a user is accessing a textual document, theuser may choose to access only selected portions of that document, thechoice being made by viewing an index of the document. On the otherhand, if a user is accessing a movie, the viewing may be continuous (ifthe rules do not allow a user to re-watch portions of the movie withoutadditional payment). The access and viewing process is described herefor an interactive case, since non-interactive access can be consideredaccess with a single (“start-viewing”) interaction.

[0145] Note further that initiation of the access mechanism activatesmonitoring for interrupts and polling by the access mechanism 114. Auser may also implicitly invoke the access mechanism by accessing anobject (data) protected by the system. This invocation also activatesmonitoring for interrupts and polling.

[0146] The following discussion assumes, without loss of generality,that the data are being accessed by an application via an insecureoperating system (OS) which invokes the access mechanism 114. The intentis to show the manner in which controlled access of the data takesplace. In some foreseen environments, the operating system will belittle more than a simple run-time system or there will be only oneprogram running at all times. For example, in a video cassette recorderand playback machine (VCR), a single control program may be running atall times to control the VCR's operations. In this case, this controlprogram is considered the application, and all access to controlled datais initiated by the control program which invokes the access mechanism114.

[0147] To initiate an input access to a data element, a user mustrequest the operating system to read such data into memory from an I/Odevice. Initiating I/O gives control to the access mechanism 114.

[0148] For input access to an input data element, the access mechanism114 first determines whether the dataset containing the data element isalready open (step S1000). If the dataset is not already open, it isopened (step S1001). Once opened, it is determined whether or not thedataset is protected (step S1002). Note that the data being accessed mayor may not be part of packaged data. In some embodiments the accessmechanism 114 can maintain a record of which open datasets areprotected.

[0149] If it is determined that the dataset is not protected (stepS1002), then control returns to the invoking process (step S1006). Onthe other hand, if the dataset is protected (step S1002) then it isdetermined whether or not the rules for this dataset are useable(present, available and valid) (step S1004). (The process of determiningwhether the rules are useable, i.e., step S1004 is described below withreference to FIG. 11.)

[0150] If the rules are determined to be useable (step S1004) then it isdetermined whether the data element being accessed is different from themost recently accessed data element (step S1008). If so, the dataelement is opened (step S1010) (otherwise the data element is alreadyopened and available).

[0151] Next it is determined whether or not the data element isprotected (step S1012). If the data element is not protected thencontrol returns to the invoking process (step S1006). Otherwise, it isdetermined whether or not access is permitted (according to the rules)(step S1014). If no access to the data element is permitted then anaccess denial operation is performed (step S1016). For example,depending on the rules, the access mechanism 114 could either return tothe invoking process (e.g., the operating system) or abort or performsome other operation. Following the access denial operation (stepS1016), control returns to the invoking process (step S1006).

[0152] If access to the data element is permitted (step S1014), then thedata element is made available, consistent with the rules, (step S1018)and control returns to the invoking process (step S1006).

[0153] If, in step S1004, it is determined that the rules are notuseable, then an access denial operation is performed (step S1016),following which control returns to the invoking process (step S1006).

[0154] In some embodiments and/or uses of the system, the system obtainsand sets up for enforcement all of the rules in the encrypted rules 124prior to any data access or selection. In other embodiments and/or uses,rules are set up or interrogated for enforcement as needed. Depending onthe type of the data and the intended application, a minimal set ofglobal rules (governing any or all access to the data) is typically setup prior to any data access. Accordingly, the enforcement of some of therules is set up when the package is obtained, prior to any user access.

[0155] In some embodiments some of the required rules may not actuallybe provided, but are indicated by reference. In those cases, thereferenced rules must be obtained when needed before data processing cancontinue.

[0156] Once the appropriate rules, if any, are set up (stored within theaccess mechanism 114), and the access mechanism is ready to enforcethem, then, according to the rules, the user can access an element ofthe data.

[0157] The operating system is notified of the termination (normal orotherwise) of each program so that it may close any files opened by theprogram. Because it is possible that multiple programs may be executingat the same time, the system will remain in a protected state (if anyprotected data has been accessed) until all active programs concludetheir execution. At that time all protected data in addressable memoryare destroyed, and all rules/permission lists of files that have beencreated are updated, all files are closed and system status flags arereset.

[0158] Whenever a user wishes to access protected data, the accessmechanism 114 may determine that the rules are not yet available fordetermination of whether or not to allow that access. Threepossibilities exist regarding the presence of the rules.

[0159] 1. The rules are packaged with the data.

[0160] 2. The rules are not packaged with the data but are alreadypresent in the access mechanism 114 (i.e., in memory). This situationoccurs if, for example, the user loaded a disk containing the rules andthen the access mechanism 114, upon receiving the interrupt announcingthe disk's presence, read the first record, recognized it as rules anddecrypted them, storing them for later use. (Reading a disk's contentsin advance of any actual use is presently done, for example, by somevirus checking programs.) If the implementor chose not to respond tointerrupts when a device is loaded, then, when rules are required, theaccess mechanism 114 checks all “ready” devices and inputs those rulesthat are present. This covers the case where the rules are present onthe hard disk.

[0161] 3. The rules are not present. That is, the rules are not packagedwith the data and do not reside on any device attached to the system. Inthis case, the access mechanism 114 notifies the user that the rules arerequired. The user responds by either:

[0162] (a) indicating that the rules are not available (in which casethe access mechanism 114 denies permission to the program); or

[0163] (b) loading the rules (in which case the access mechanism 114confirms their identity and continues). If the access mechanism isunable to confirm their identity, it can reissue a request for therules.

[0164] With reference to FIG. 11, first the access mechanism 114 checksto determine whether or not the rules are already determined useable(step S1100). If so, the process returns a “success” indication to theinvoking process (step S1102).

[0165] If the rules have not already been determined to be useable (stepS1100), then the rules are located. First it is determined whether ornot the rules are packaged with the data (step S1104). If so, the rulesare made available (by decrypting them, if needed) (step S1106). If therules are successfully made available (e.g., decryption succeeds) (stepS1108), then the rules are checked for integrity (step S1110). If therules pass an integrity check, then a “success” indication is returnedto the invoking process (step S1112), otherwise a “fail” indication isreturned (step S1127).

[0166] If the rules are not packaged with the data (step S1104), thenthe access mechanism 114, determines whether the rules are on a deviceattached to the access mechanism 114 (steps S1116-S1118). If the rulesare not found on any device, then the user is asked to provide the rules(step S1114). At that time the user can abort the process (step S1120),in which case a “fail” indication is returned to the invoking process(step S1127). If the user chooses not to abort but to provide rules,those rules are read (step S1122) and, if they are a correct set ofrules (step S1124), made available (step S1106). If the rules are not acorrect set of rules (step S1124), then the user is informed (stepS1126) and is prompted again for the rules (step S1114).

[0167] Regardless of whether or not the rules are provided with thepackaged data, once the rules have been decrypted they are stored in theaccess mechanism 114.

[0168] The process of executing an application to access the dataaccording to the stored rules is described with reference to the flowchart shown in FIG. 12. For each data access operation to be performedby the application, first the operation is identified (step S1200) andthe rules are checked (step S1202) to determine whether that operationis permitted (step S1204).

[0169] If it is determined (step S1204) that the operation is notpermitted by the rules, a “failure” return-code is set (step S1206) andcontrol is returned to the caller (operating system) (step S1208). Onthe other hand, if the operation is permitted (step S1204) then, ifpayment is determined to be acceptable (step S1210), then processingcontinues. (Payment is discussed further below.) If payment isdetermined to be unacceptable (step S1210), a “failure” return-code isset and control returns to the invoking application (steps S1206 and1208).

[0170] If payment is determined to be acceptable (step S1210), then itis determined whether or not the rules apply any restrictions on thedata (step S1212) (for example, whether or not the rules restrict theoutput format or amount of the data in some way). If it is determinedthat the rules restrict the data then the restriction is enforced (stepS1214) and the I/O is performed based on the restriction (step S1216),otherwise the I/O is performed without restriction (step S1216).

[0171] After performing I/O (step S1216), a “successful” return code isset (step S1218), and control returns to the invoking application.

[0172] The Writing Operation

[0173] The process of writing data is described here with reference toFIG. 10(b). When an application attempts to write to a dataset, controlis passed to the access mechanism 114 which opens the dataset forwriting if it is not already open (steps S1020, S1022). Once opened, itis determined whether or not the dataset is to be protected (stepS1024). The dataset (output file) would be protected if, for example, aprotected dataset has been opened since the last time the accessmechanism 114 cleared its memory or if the user indicated that output isto be protected (as when authoring a work).

[0174] Note that an output dataset may begin as unprotected and bewritten as unprotected (i.e., in the form it would have on a machinewhich does not have an access mechanism 114) and later additions to thedataset may require protection and therefore be written in theappropriate format. The transition between unprotected/protected data ina dataset are discussed below.

[0175] If the dataset is not to be protected (step S1024), controlreturns to the invoking process which writes the unprotected data (stepS1026). On the other hand, if the dataset is to be protected (stepS1024, then the rules are checked to determine whether or not outputaccess is permitted (step S1028). If output access is not permitted, adenial operation is performed (step S1030). For example, depending onthe rules, as part of this denial operation the access mechanism 114could destroy the output data allowing randomized data to be written intheir stead, could abort the function, or could abort the job. If accessis permitted (step S1028), it is then determined whether a new dataelement is about to be written or whether new rules have beenincorporated since the last write (step S1032). If either is the case,the rules are written (step S1034). After writing the rules (stepS1034), or if neither was the case (step S1032), the data are encryptedif the rules so require (step S1036), and control returns to theinvoking process (step S1026) where the (possibly encrypted) data arewritten.

[0176] Compatibility Issues

[0177] A protected dataset (packaged data) read by a system which doesnot employ an access mechanism 114 according to the present invention(or a dataset read by a system in non-protected mode) will be treated asdata without any decryption taking place (by an access mechanism). Insuch a system, protected data elements will not be available to theuser. This allows datasets (packaged data) freely to be copied andtransmitted. Recipients will need to obtain any needed permission lists(rules) prior to being able to read the encrypted data in such datasets.

[0178] A non-protected (e.g., legacy) dataset (read using a systememploying an access mechanism 114) that is treated as a protecteddataset would require that rules be present before it would be accessed.The probability of such a mis-identification may be made vanishinglysmall, e.g., by computing a hash function of the data.

[0179] The user can be provided the opportunity to indicate that thedataset should be treated as unprotected. In order to do this, theaccess process described above with reference to FIGS. 10(a) and 11allows a user to override the decision made in step S1002 as to whetheror not the dataset is protected. Note that if a user incorrectlyindicates that a protected dataset is unprotected, no access to the datawould be available other than in encrypted (unusable) form.

[0180] Tamper Detection

[0181] If and when tampering is detected, the access mechanism 114performs at least the following operations illustrated in FIG. 13. Thecryptographic variables (e.g., keys) are destroyed (step S1305), allrules are destroyed (step S1302), all cleartext (un-encrypted)information is destroyed (step S1300), all files are closed (stepS1304), and the device is otherwise deactivated (step S1306). Whilethese operations are described sequentially, in preferred embodimentsthey occur simultaneously or in some concurrent or parallel order, asshown in FIG. 13. If some order must be imposed on these operations, thefirst priority is to erase the cryptographic variables (step S1305).

[0182] Operational Considerations

[0183] Certain operational procedures may also be important tomaintaining the protections and controls inherent in the presentinvention. Specific operational procedures may be employed to preventequipment being built that would operate with an access mechanismaccording to the present invention and that also contained methods forcircumventing the protections and controls in the access mechanism.

[0184] These operational procedures involve inspection, analysis,testing, and perhaps other procedures followed by certification ofauthorized access mechanism implementations. The inspection mightinclude design analysis and physical chip inspection. Upon successfulinspection, a cryptographically sealed certificate is stored within theprotection perimeter. Note that this certificate is one of the dataitems that is destroyed upon detection of tampering. The certificate isissued by an authorized Certification Authority (CA) and includestherein a decryption key issued by that CA.

[0185] In some preferred embodiments, the rule-encrypting key K_(R) isencrypted using the encryption key corresponding to the decryption keyincluded in the certificate in each device. Then, in order to obtainK_(R) within the device, the device must have the decryption key whichwas stored in the certificate by the CA.

[0186] Payment

[0187] In our market economy, producers and distributors of goods andservices expect to be compensated. Intellectual property producers anddistributors are no exception. The needs of commerce have been a primaryfactor in the evolution of information technology throughout history.Many of today's information infrastructure activities also deal withbilling and payment.

[0188] Existing payment mechanisms either assume that the parties willat some time be in each other's physical presence or that there will bea sufficient delay in the payment process for frauds, overdrafts, andother undesirable conditions to be identified and corrected. Many ofthese payment mechanisms have already begun to adapt in response to theconduct of business over networks. Entirely new forms of electronicpayment are evolving.

[0189] The following is a representative (but not definitive) list ofelectronic payment systems (some of the following names are trademarks):Anonymous Internet Mercantile Protocol; “BITBUX” from “MICROSOFT” and“VISA”; CARI (Collect All Relevant Information) the Internet VoiceRobot, uses virtual credit cards to provide secure transactions from theWeb; “CHECKFREE” plans for expanding the way commerce is conducted onthe Internet; “COMMERCENET” secure commerce on the Internet based onSecure HTTP; “CYBERCASH”; “DIGICASH”; “DOWNTOWN ANYWHERE” has a systemusing account numbers, and personal payment passwords; First Bank ofInternet (FBOI); First Virtual Internet Payment System allows realpayment on the Internet; IkP, A Family of Secure Payment Protocols fromIBM; Internet Banking White Paper from WebTech; NetBill ElectronicCommerce Project; “NetCash”; “NetCheque”; “NetChex”; “NetMarket”;“Netscape Communications Netsite Commerce Server” and “NetscapeNavigator”; “NexusBucks”; “Open Market”; Security First Network Bank isan Internet Savings Bank; SNPP: A Simple Network Payment Protocol; SunInternet Commerce Group; Virtual Bank of the Internet.

[0190] Some electronic payment systems operate in real time bycommunicating through the Internet or direct dial. Others employ aprepaid balance which is debited against merchant credits, with periodicbatch updating and transmission.

[0191] It is envisioned that embodiments of the present invention willemploy an appropriate payment mechanism such as are well known in theart. Accordingly, the actual payment mechanism is not specified.

[0192] Rules and Policies

[0193] The rules (provided together with or separately from the packageddata) embody the data owner's control policies with respect to a user'saccess rights to the data.

[0194] The present invention permits the owner of intellectual propertyto realize a gain by selling or licensing various levels of accessrights to the property and then ensuring that access beyond those rightsis not obtained. The present invention ensures that only such qualitiesand quantities of access as released by the owner (generally, inexchange for payment) are allowed.

[0195] The rules are preferably embodied in a permission list. Anexample of permissions in such a list is shown in FIG. 3, and wasdescribed above.

[0196] While the rules allowed are open ended, an example set of rules(access control parameters) is given below. Access control parametersmay be combined to provide varying sets of capabilities and to implementthe enforcement of various policies. Some parameters are independent ofany other parameters; some parameters are mutually exclusive; and otherparameters must be used in combination to define fully the actions to beallowed or disallowed.

[0197] No Restriction

[0198] This would be the status if no restrictions were placed on theassociated data. If this parameter is explicitly stated it overrides anycontradictory parameter that may also be present. The data may be read,printed, executed, modified and copied.

[0199] No Modify

[0200] The associated data may not be edited or changed.

[0201] No Copy

[0202] The data may not be copied and a derivative work may not be madefrom the data.

[0203] No Execute

[0204] The data may not be executed.

[0205] No Print

[0206] The data may not be printed.

[0207] Print With Restriction of Type n

[0208] If the user prints after accessing the data, a simulatedwatermark will be printed as background or a header and/or footer willbe placed on each page. The numeral n specifies the specific restrictionto be applied, e.g., standard watermark (such as “do not copy”),personal (watermark such as “printed for name of user”), standardheader/footer (such as “Company Name Confidential”), or personal headerfooter (such as “Printed for name of user”).

[0209] No Access

[0210] Any user access, including an attempt to execute, will retrieveonly encrypted data (ciphertext). This is the default case when thereare no rules associated with data or the rules are corrupted.

[0211] No Child Access

[0212] Unless the user has been identified as an adult (for example byuse of a password or a token) access will not be allowed for itemsidentified as “adult material.”

[0213] Access Cost=(unit, price)

[0214] Each time a unit of data (e.g., book, volume, chapter, page,paragraph, word, map, record, song, image, kilobyte, etc.) is opened, acost of price is incurred.

[0215] Print Cost=(unit, price)

[0216] Each time a unit (e.g., page, file, image, etc.) is printed, acost of price is incurred.

[0217] Copy/Transmit Cost=(unit, price)

[0218] Each time a unit (e.g., volume, file, record, page, kilobyte,image, etc.) is output, a cost of price is incurred.

[0219] Execute only

[0220] The user may execute a program but may not read, print, modify orcopy it. This rule protects-against disclosure of an algorithm.

[0221] A permission list consists of rules governing the qualities andquantities of access made available by the owner to a particular user orgroup or class of users, and defines those ways in which the user may(and may not) interact with the owner's data/information. An encryptedpermission list (for example, encrypted rules 124 in FIG. 2) is madeavailable by the owner to the user, generally in exchange for fees (inthe commercial domain) (for example, payment 110 in FIG. 1). The systemdenies the user direct access to manipulate the permission list,although in some cases it may allow the user to view the permissionlist. (The permission list may include rules governing access to thepermission list itself). Use of a permission list may be limited to aparticular computer system, a particular token (such as a smart card), auser-supplied password, or any combination of these or other items.

[0222] At the discretion of the intellectual property (data) owner, apermission list may also be valid for future releases of the data. Thisallows, for example, a software owner to plan for future releases thatresolve problems discovered in an initial software release. In thisexample, the user of a particular version of a program, for instance,Version 6, might be allowed to use a subsequent version of the program,version 6.1, without further payment and without needing to obtain a newpermission list or license. One who had not already licensed ProgramVersion 6 would be required to purchase a new permission list/license inorder to use Program Version 6.1.

[0223] A permission list may authorize and permit the user ofintellectual property to create a derivative product for which theoriginal owner may or may not have rights. In the case of a derivativeproduct for which the owner of the original intellectual property has norights, the owner of the derivative intellectual property canunilaterally issue a permission list governing use of that intellectualproperty.

[0224] Program execution occurs when a computer device follows a seriesof steps, or instructions, expressed in some symbology. The program maybe linear, with one step always following its predecessor withoutvariation, or the program may involve branching based on comparison ofvariables related to internal or external events and status. In thefield of computer science a distinction is sometimes made according tothe time at which the instructions comprising the program are translatedinto the computer's machine language in order to control the operationof the computer. Accordingly, terms such as assembly, compilation, andinterpretation are used. This distinction is not important with respectto the present invention. The term execution is used herein to refer toall forms of program execution.

[0225] Controlling Primary Distribution

[0226] As noted above, digital information is transmitted openly.Accordingly, the data are typically distributed in an encrypted form.

[0227] Enforcing an Authorized User List

[0228] In some cases, it is useful to have a rule which controls accessto data for certain specific users or classes of users. For example,data may only be accessible to people over the age of eighteen, or topeople having a rank greater than or equal to that of captain, or tomanagers have a security clearance greater than top-secret. In thesecases, each user can be provided with a separate set of rules for thatspecific user. In other words, each user can be provided with a uniqueset of rules. However, if the status of a user changes, then the rulesfor that user have to be changed. Accordingly, it is useful andconvenient to have the rules be parameterized based on the status of theuser and then have the user's status provided to the access mechanism114 in a secure fashion.

[0229] The invention can be used in combination with software and otheridentification technology (for example, biometric sensors) to limit dataaccess to users that possess an appropriate physical or logical token(for example, a dongle or password), or personal characteristic (forexample, a fingerprint pattern). The secure hardware (via tamperdetection) eliminates the potential for modifying and subverting theidentification software.

[0230] An embodiment having such a configuration is shown in FIG. 14,wherein the access mechanism 114 is connected to an external securedevice 182 in order to obtain the user's status. Channel 183, connectingthe secure device 182 and the access mechanism 114 is preferably asecure channel (within the security boundary 167), however, if it isinsecure, the device 182 must send information to the access mechanism114 in a protected (e.g., encrypted) manner.

[0231] Controlling Access and Use

[0232] The invention can restrict the qualities or quantities of accessto data in any manner that can be calculated or enumerated. Anon-exhaustive, representative set of examples is given below.

[0233] Access Control Qualities

[0234] (a) Local Display (for example, display of data on the computer'smonitor).

[0235] (b) Printing (i.e., fixation in a form intelligible to a person).

[0236] (c) Copying (i.e., fixation on an electronic medium such as adisk or tape).

[0237] (d) Transmission (see below regarding controlling secondarydistribution).

[0238] (e) Modification (i.e., changes to a copy of the primarydistribution).

[0239] Access Control Quantities

[0240] (a) Number of read-accesses (where “read access” refers to anykind of examination or retrieval of data/information).

[0241] (b) Size of read-access.

[0242] (c) Expiration date.

[0243] (d) Intensity of access (number/total volume of read-accesses ina unit of time).

[0244] (e) Resolution of access (for example, in the context of a mapthis would be the maximum scale allowed; for sensor data this would bethe precision (number of bits) returned to the user).

[0245] (f) Delay (Accesses are permitted to data after a delay of n timeunits. This allows different user groups to view the same dataset withdifferent results to queries. For example, a stock broker would be ableto view the latest data, while a customer, paying less for the service,might receive data that are delayed by 15 minutes.)

[0246] Access Control Granularity

[0247] The above access control policies can be applied differently todifferent portions of the intellectual property. For example, adocument's chapters might be controlled at different levels of quantityand quality; a map's information might be controlled differently atdifferent latitudes and longitudes; portions of an image may berestricted in availability, resolution, and the like.

[0248] Controlling Secondary Distribution

[0249] The invention provides absolute control of secondary distributionof data (for example, preventing or restricting potential use).

[0250] Transmission of (an unencrypted copy of) the primary distributiondata (either to a network or to an output device such as a tape or disk)can only be effected when the system, acting under the rules embodied inthe owner's permission list, allows external output. Denial ofpermission to transmit an unencrypted copy may result in no output ormay result in transmission of an encrypted copy (for which the recipientmust then negotiate permissions in order to use). Alternately, denial ofpermission to transmit may result in the transmission of random data,thereby denying the user knowledge of whether or not encrypted data wastransferred.

[0251] Since all storage of data on internal non-volatile memory devices(for example, disks, flash memory, and the like) is encrypted, thisensures that a physical attack on the system will not result incompromise of plaintext.

[0252] Controlling Printing or Display

[0253] Printing or display of data is controlled in a manner similar tothat used for controlling secondary distribution. One option is todisallow the ability to send particular information to a printer ordisplay If printing or display is allowed, the data stream to the outputdevice is encrypted to ensure that an unauthorized user cannot interceptdata sent to an external printer or display (that is, to a printer ordisplay outside the tamper-detect protected enclosure). Thisnecessitates that the receiving device contain a decryption subsystem.Thus, as shown in FIG. 8, data from access mechanism 114 via I/Ocontroller 165 to either the controlled printer 178 or the controlleddisplay 180 is encrypted on channels 174 and 176, respectively.

[0254] As discussed above when addressing the threat of capture of theoutput signal, an encryption mechanism is used for protecting datatransfers to printer or display so that, if the data owner wishes,printing or display may be restricted to a specific printer or displaydevice.

[0255] Instead of disallowing printing or display, these functions maybe allowed with limitations as imposed by the owner. For example, outputmight contain a header/footer on each page indicating the identity ofthe authorized user; a watermark might be printed in the background; orother identifying material might be placed on each image. Of course, thedata stream would be encrypted (as above) to prevent interception.

[0256] Document marking and identification techniques can be used todiscourage the illicit copying of documents distributed in either paperor. electronic form. The exact form of printer characters as well asline and word shifting have been used for document marking andidentification (“Document Marking and Identification using both Line andWord Shifting,” Low, S. H., et al. 1995 INFOCOM Proceedings, IEEE, pp.853-, 1995).

[0257] One of the major technical and economic challenges faced byelectronic publishing is that of preventing individuals from easilycopying and illegally or without authorization distributing electronicdocuments. Cryptographic protocols used to discourage the distributionof illicit electronic copies are described in “Copyright Protection forElectronic Publishing over Computer Networks,” Choudhury, A. K., et al.,IEEE Network, pp. 12-20, May-June 1995.

[0258] Preferably, each controlled peripheral device (e.g., controlledprinter 178 or display 180) is provided with an access mechanism whichallows the device to process data it receives. This allows the databeing sent to a controlled peripheral device from a system using anaccess mechanism to be treated as either a copy of data or a derivativework that is being sent to another user (that happens to be aperipheral). In other words, if a peripheral device contains an accessmechanism, the data sent to the device can be packaged data. Using thisapproach, requires that the receiving access mechanism (the peripheral'saccess mechanism) may include the rules (permission list(s)) in order toobtain the key needed to decrypt the data in order to print or displaythem (or do whatever the peripheral does with data). If no permissionlist is included and the data are encrypted by the printer's public key,the printer's access mechanism decrypts the data and prints them (justas they would have been printed had the unencrypted data stream beenreceived by a standard printer).

[0259] The access mechanism in the controlled peripheral device need notbe a full system whenever the peripheral device is limited in function,for example, to only printing or displaying data. The peripheral and itsaccess mechanism subsystem must be in a tamper-detecting enclosure.

[0260] As noted, it is envisioned that a computer or other deviceequipped with an access mechanism will be used with a controlled outputdevice (printer or display) so equipped. If the data owner allows (viathe rules) output (e.g., printing) to a controlled output device (e.g.,printer) (equipped with an access mechanism), then there are twopossibilities. The access mechanism in the user's computer can processany required payment and send the data, encrypted with the device'spublic key, to the printer or display for output. Alternately, theaccess mechanism processes the data as a derivative work (discussedbelow), packaging rules with the data, and the output device isresponsible for separate payment (for example, allowing retention andmultiple copies).

[0261] In order to limit the number of copies output, a short timewindow is included in the rules so that the recipient cannot capture(record) the file and replay it multiple times to the output device.Additionally, the access mechanism in the output device can contain arelatively small non-volatile memory that would hold the checksum of afile that is not to be output again for a certain time period, say, for15 minutes from the first output (and an output permission list in therules would specify “n copies, only valid for 15 minutes from x tox+15”).

[0262] In the case of standard output devices (non-controlled, i.e.,without access mechanisms), data are provided unencrypted (to the extentthat the rules permit and payment has been provided).

[0263] Controlling Distributions of Derivative Works

[0264] In many application environments where intellectual property iscreated it is common to include extracts from other intellectualproperty. Such environments include writing scholarly papers, reviews,regulations, etc. The intellectual property containing the extract is aso-called derivative work. The intellectual property from which theextract was copied is called the parent work.

[0265] This invention controls the distribution of derivative works(that is, works created using information owned by another).Transmission of (an unencrypted copy of) a derivative work (to anetwork, to an output device such as a tape or disk, or to a printer ordisplay device or the like) can only be effected when the system, actingunder the rules embodied in permission lists created by each of theowners of any intellectual properties used in the derivative work,allows external output. Denial of permission to transmit an unencryptedcopy may result in no output or may result in transmission of anencrypted copy (or, as noted above, may result in the transmission ofrandom data). Use of an encrypted copy of a derivative work will, ingeneral, require permissions from the owners of the derivative work aswell as of the original works. The permission list associated with awork is incorporated into the permission list of any derivative work,either directly or by reference. License fees and restrictions imposedby the owner of a work are inherited by any derivative works. An n-thgeneration derivative work inherits the license fees and restrictions ofeach of its n−1 ancestors. If permission lists (rules) are incorporatedby reference, the access mechanism ensures that the referencedpermission lists (rules) are present (or it will deny access).

[0266] For example, if printing of an original work requires awatermark, then printing of any derivative work (if allowed at all) willrequire a watermark. This monotonicity/cascading of restrictions (i.e.,each generation of a work must be at least as restricted as the priorgeneration) ensures that a derivative work that is only triviallychanged from the original does not escape restrictions imposed on theoriginal.

[0267] Creation of a derivative work for subsequent distributionrequires an distributor 190 similar to distributor 102 shown in FIGS. 1and 5. However, derivative work distributor 190 (shown in FIG. 15)includes an access mechanism 114 and can process, as input data,packaged data 108 a. The output produced by distributor 190 is packageddata 108 b which includes any rules (or references to rules) required bydata which is derived from the input packaged data 108 a. The accessmechanism 114 within distributor 190 incorporates a global rule whichenforces the distribution of rules with derivative works.

[0268] As noted earlier, the difference between the embodiments of thedistributors 102 and 190, shown in FIGS. 1 and 15, respectively, is thatthe distributor 102 shown in FIG. 1 does not include an access mechanism114. Accordingly, the distributor 102 deals only with newly created data(that is, with non-derivative data). The embodiment shown in FIG. 15includes that of FIG. 1, and can also deal with input of protected data(previously packaged by a distributor). The embodiment of the systemshown in FIG. 1 can be implemented purely in software, whereas theembodiment shown in FIG. 15 requires some hardware implementation.

[0269] It is envisioned that a standard computer, equipped with anaccess mechanism 114 will function as an authoring/distribution system.This allows all computer users to become authors and to incorporatepreviously published material into derivative works.

[0270] The rules associated with the parent work determine whethercreation of derivative intellectual property is permitted, as well asthe inheritance rules for incorporating the rules of the parent into thederivative work. Note that the rules derived from the parent apply onlyto the extract and that these rules applying to the extract need not beidentical to the rules of the parent. The rules applying to the extractare specified by the owner of the parent, not by the creator of thederivative work.

[0271] For example, the rules applying to the extract might requirepayment to the owner of the parent for use of the derivative workcontaining the extract. If the creator of the derivative also requiredpayment, the user of the derivative would make payments to two ownersfor use of the derivative. In an automated system the details of suchmultiple payments would be invisible to a user.

[0272] This invention enables such payment arrangements that wouldotherwise be prohibitively difficult and complex.

[0273] Another example relates to integrity and moral rights of theowner of the parent. The owner might z,999 an extract was made withoutalteration of a z,999 that certain related information were included(for example, to prevent the extract from being taken out of context).

[0274] Data extracted from the parent comes with rules already attachedor associated. These rules propagate into the derivative, but areapplicable only to the extract. Extracts from the same parent may or maynot share rules. Extracts from multiple parents may result in multiplerules applying to different extracts. As noted, a derivative work maycontain references to data and rules rather than the actual data andrules. For certain commercial products it may be desirable to have thefinal packaged data 108 b be fully self-contained. Accordingly, thepackaged data 108 b output from this distributor 190 may require furtherprocessing in order to optimize it for commercial distribution. Suchoptimization might include, for example, obtaining and including copiesof all rules and data referenced in the package.

[0275] Extract Authentication

[0276] Digital signatures authenticate digital information by providingproof that information received is precisely that which was sent, withno changes. This system provides a similar capability to authenticateextracts (quotes) of information.

[0277] Application environments, such as providing a legal trail ofevidence or authenticating that a quotation is accurate, are enhanced bythe ability to prove that the information has not been subject tounauthorized alteration.

[0278] Authenticated extraction is implemented by creating an extractioneditor, that runs in the access mechanism 114. This extraction editor,possibly under human direction, can extract selected text but is unableto change the extract. When extraction is complete, the access mechanism114 digitally signs the extract with a digital signature. This digitalsignature includes identification of the specific computer in which theaccess mechanism 114 is executing as well as identification of thespecific extraction editor used.

[0279] The extraction editor can, optionally, be permitted or requiredto insert ellipsis to indicate deletions, and certain specifiedinsertions, such as, for example, “[sic],” might be allowed.

[0280] In another embodiment, a so-called hyperlink can be used in newlycreated data to indicate the insertion location of a quotation. When anoutput operation is performed, the access mechanism 114 creates aseparate quotation, with its own checksum and digital signature. Anyrecipient of data containing the hyperlink can verify that the contentsof the hyperlink were captured by access mechanism 114 and deliveredunchanged.

[0281] Controlling Use of Executable Software Control of PrimaryDistributions

[0282] The invention enables the creator of executable software torestrict the use of the software to only those who have acquiredpermissions for various of its capabilities. Executable software will bedistributed in encrypted form, externally treated as data, as describedabove. In general, execution of a program can be controlled for multiplepurposes in a number of ways. Purchase of a license to execute softwarecan be evidenced by a cryptographically protected certificate which isdecrypted internally by the access mechanism- 114. The executablesoftware can check for the presence of the certificate, or forpermission keys or other information contained in the certificate, onceor many times during execution. Since the algorithm embodied in anexecutable program may be valuable intellectual property, the accessmechanism 114 can prevent a licensee from reading, copying, or modifyingunencrypted executable code. In order to prevent disclosure of theunencrypted executable code, it is kept wholly within the securityperimeter of the access mechanism 114 for execution.

[0283] Elimination of the Distributor (Middleman)

[0284] The invention enables the executable software owner to makecopies easily available on a network server in encrypted form. Users maydownload the executable software and then separately purchase the rightsto utilize the executable software. Thus, a standard purchase ofsoftware may be accomplished electronically, dealing with the owner'selectronic commerce system. Thereby, the entire process of acquiring theexecutable software package and then purchasing the rights to use it maybe effected without going through a distributor.

[0285] Offering discounted upgrades to software licensees is alsosimplified. When a licensee claims eligibility for a discounted upgradethe executable software owner can check the record of purchase of rightsfor the prior version of the product. Once again, the entire process canbe automated.

[0286] Simplification of Configuration Management

[0287] The executable software owner can elect to make available on anetwork server product improvements that operate with existingpermission lists, thus immediately releasing product improvements andfixes.

[0288] Multiple levels of product capability can be incorporated into asingle release and can be selectively enabled by different permissionlists. The tailoring of different distributions, with differingcapabilities is no longer necessary.

[0289] Active Control of Capability of Executable Software

[0290] The invention's control of distribution of data or information(that are not executable software) may be characterized as passive ortransparent in that no changes are required in the data or informationfor them to be protected. The permission list that controls their usemay be separately created, packaged, and supplied.

[0291] The control of primary distribution of data or information aswell as the secondary distribution or distribution of modifications(derivatives) of data or information is passive. However, theinvention's control of executable software capability is active andrequires that the executable software developer use the programminginterface provided by the system. At each point where the developerrequires authorization, the executable software requests apermission-check. As a result, the process of FIG. 16 is performed. Ifthe requisite authorization is received, the function of the software isperformed. If authorization is denied, an alternative action is chosen.The system may itself take certain actions including, for example,terminating a program or erasing data, when authorization is denied. Asexecutable software is distributed in encrypted form, it can only bedecrypted and executed (used) on a machine employing the accessmechanism of the present invention.

[0292] With reference to FIG. 16, first the operation is identified(step S1600) and the rules are checked (step S1602). Next it isdetermined whether the rules permit the operation (step S1604). If theoperation is not permitted (or it is permitted but payment is notacceptable (step S1606)), then it is determined whether any systemaction is required (step S1608). If no system action is required, thereturn code for “not allowed” is set and control is returned (stepS1610), otherwise the system action is performed (step S1612) afterwhich the return code for “not allowed” is set and control is returned(step S1610).

[0293] If the operation is permitted (step S1604) and payment isacceptable (step S1606), then the return code for “allowed” is set (stepS1616).

[0294] The invention can be used to restrict the qualities or quantitiesof executable software execution in any manner that can be calculated orenumerated. Representative non-exhaustive examples of restrictions aregiven below. These restrictions may combined in any fashion.

[0295] Levels of Capability

[0296] Access to Specific Parts of Code or Features

[0297] Control of sizes or quantities that can be handled. For example,files may be allowed up to a specific size; complexity or accuracy of asolution may be limited, number of parameters or data points may berestricted, etc.

[0298] Quantitative Modifiers of Levels of Capability

[0299] Control of expiration dates, time of use, number and frequency ofuses and permitted users. For example, rights to use of a file of data(whatever it contains) may expire on a certain date; access to certaindata may be limited to certain times of day, days of the week orspecific dates; a user may only be allowed to access certain data aspecified number of times (or a specified number of times per day); oraccess to some data may be restricted based on the identity of the user.

[0300] Control of Secondary and Derivative Executable SoftwareDistributions

[0301] This is handled in the same fashion as are data files, asdescribed above.

[0302] Control of Executable Software as a Module of Other ExecutableSoftware

[0303] When protected executable software is incorporated into or usedby other executable software on the system for which it was licensed,any limitations on its execution are maintained in the new context.

[0304] Restricting Use to Certified Software

[0305] The access mechanism 114 can be factory configured to restrictoperation only to such software as is certified (e.g., by using adigital signature to ensure that the software was received unalteredfrom a certified source). Other contemplated applications include keyescrow (also called “data recovery”) systems (described below), systemsfor counting election ballots, systems for exchanging cryptographic dataor algorithms, and systems for safeguarding financial, medical, or otherpersonal data. Further, a system employing an access mechanism may beused to ensure that such software is not modified after being receivedor accessed for execution.

[0306] Process Control

[0307] Computer control of processes is the basis for automation andquality control in many industries. This technology extends into variousspecialties such as computer-aided manufacturing, control systemsengineering, concurrent engineering, expert systems, intelligentsensors, just-in-time manufacturing, programmable logic controllers,robotics, robotic programming languages, and visualization techniques inengineering.

[0308] Formula, processes, procedures, and techniques may convey productdifferentiation, aesthetic and functional innovation, and increasedcost-effectiveness. The computer programs and data involved in processcontrol may constitute valuable intellectual property. The mechanisms ofthe present invention permit such data to be stored in process-controlcomputers, transmitted to suppliers and subcontractors and otherwiseemployed without unauthorized disclosure, substitution, or modification.

[0309] The permissions associated with process control data may, forexample, allow execution only—reading or observing the data would beprohibited. Execution may be restricted to specific equipment and tospecific times. In general, the process controller is external to theequipment implementing the process. Hence, communication between theprocess controller and the process equipment must be cryptographicallyprotected. Like the access mechanism in a controlled computer peripheraldiscussed herein, the access function in the process equipment need notbe a full system whenever the peripheral device is limited and can notoutput data.

[0310] Key Escrow (Data Recovery) Systems

[0311] This system allows a provider of key escrow cryptographicexecutable software to require, by using a rule, certification that akey has been installed and deposited with a specified certificationauthority in order for the executable software to function. The accessmechanism ensures the integrity of executable software that usescryptographic executable software (whether or not key escrow), guardingagainst change or replacement.

[0312] Control of Classified Data

[0313] The invention can be used to support limitations on the (primaryand secondary) distribution of data, access to data, and distribution ofderivative data where the data are classified. Similarly, the executionof classified programs, or programs operating on classified data may becontrolled by the system.

[0314] Ensured Issuance of Receipts

[0315] This system can be used to ensure that a receipt is issued undera number of circumstances, as demonstrated by representative examplesgiven below. A software program (or electronic mail message) may requestthat a receipt be issued whenever it is loaded or executed (or when amail message is received); a receipt may be issued when a mail messageis read for the first time; or a program will not be loaded or executed(or mail opened for reading) unless the user first agrees to allow areceipt to be issued.

[0316] Ensuring Privacy

[0317] This system can be used to ensure privacy of sensitive records ina database. Examples include financial, census, medical, and politicaldatabases and the like. The system can allow inquiries that providestatistical summaries but do not reveal information about individuals.The rules would be used to limit the queries that might be posed.

[0318] Owner Control/Privileges

[0319] At the time of purchase the identity of the owner may be storedwithin the access mechanism. The access mechanism may allow the owner toplace a global set of rules (a global permission list) in the mechanism.These global rules could control, for example, hours of access (e.g.,when the computer might be operated) based on a clock within the accessmechanism or an external time reference with which the access mechanismcommunicates; acceptable software which can be run using the accessmechanism (i.e., a list of those software products that would be allowedto be used, thus enforcing a system administrator's configurationcontrol rules); user and password lists, and the like. A user canthereby customize a particular access mechanism.

[0320] The rules may also include or specify certain programs to be rununder certain conditions. For example, if the rules specify that allprinted output must contain a watermark, the rules might also providethe watermark generating program. In these cases, the programs areeither pre-loaded into the access mechanism 114, or are loaded whenneeded. These programs will then be executed when the correspondingrules or functions are invoked. For example, various types of watermarkprograms can reside in the access mechanism 114, and, depending on therules, the appropriate one of these can be selected and executed.

[0321] Note that the data structures in FIGS. 2 and 6 depict logicalorganizations of the data. However, the actual physical format of thedata depends on the type of the data as well as on the manner in whichthe data are to be used. Further, as noted above, the data package maybe distributed in many ways, including networks, magnetic media, CD-ROM,semiconductor memory modules, and wireless broadcast and the like. Incertain types of data distribution, e.g., continuous cable or wirelessbroadcast, a user may wish to begin accessing the data at an arbitrarypoint during its distribution. For example, if the data represent abroadcast movie which begins at 8 p.m., a particular user may only beginviewing at 8:30 p.m. In this case the user will have to initiatereception of the distribution while it is in progress. Accordingly, asshown in FIG. 17(a), in some embodiments, the packaged data aredistributed in discrete packets 236 of data. The packets 236 includeinformation 238 which enables a user to synchronize with the datadistribution and further enables the user to begin accessing the dataaccording to the rules. An example of such a packetized stream of datais shown in FIG. 17(b) wherein the stream 234 consists of discretepackets 236 of data, each packet containing synchronization data 238.

EXAMPLES

[0322] The following examples indicate some envisioned data and itspackaging and rules. These examples are only intended to show some ofthe envisioned uses of the present invention, and are in no way intendedto limit its uses.

[0323] Books

[0324] With reference to FIG. 18(a), a digital book 191 consists of anabstract 192, an index 194, and various chapters 196. Each chapter 196comprises sections 198, and each section comprises text 200 and FIG.202. The distributor can decide to package the book 191 such that theabstract 192 and the index 194 are available for browsing, but all otherdata are protected (encrypted). If the rules specify that the text isrestricted in certain ways, then the packaged data structure 108 has theform shown in FIG. 18(b), wherein encrypted body part 120 includes allchapters 196, unencrypted body part 122 includes the abstract 192 andindex 194, and encrypted rules 124 contains the encrypted version of therules.

[0325] Movie

[0326] With reference to FIG. 19(a), a movie 204 can be made such thatdifferent parts of the movie combine to form either a trailer 206, aG-rated version (from G-rated parts 208), an R-rated version (formedfrom G-rated parts 208 and R-rated parts 210) or an X-rated version(formed from G-rated parts 208, R-rated parts 210 and X-rated parts212). The packaged data structure 108 for this movie has the form shownin FIG. 19(b), wherein encrypted body part 120 includes all the G, R andX-rated parts 208-212, unencrypted body part 122 includes the trailer206, and encrypted rules 124 contains the encrypted version of theage-based rules which control viewing of the various versions of themovie.

[0327] In one embodiment, as shown in FIG. 19(c), a movie may bereleased with a main body 207 (having elements common to all threeversions) and sections for each of the G, R and X-rated parts (208, 210,212, respectively). Sections of the movie are selected from one of therated parts, depending on the permission level (G, R or X) set. FIG.19(d) shows packaged data structure 108 for such an arrangement.

[0328] Software

[0329] With reference to FIG. 20(a), a software program such as, forexample, a word-processor 214 may include a controlled file access part216, an editor 218, a grammar checker 220, and other features 222. Therules obtained by the user will govern the features of the software thatmay be used and the quantities of data that may be processed. The rulesshown in FIG. 20(c) indicate that the user may not employ the grammarchecker and may operate on no more than nine files. The packaged datastructure for this software (without rules) 150 is shown in FIG. 20(b),wherein encrypted body part 120 includes the file access mechanism 216,the grammar checker 220 and various other functions 222, and unencryptedbody part 122 includes the editor 218. The encrypted rules 124 are shownseparately in FIG. 20(c).

[0330] Documents

[0331] With reference to FIG. 21(a), a document such as a legal document224 comprises paragraphs 226 of words 228. In order to limit access tonon-redacted portions of the document, the rules would require blackingout all redacted words. Accordingly, the corresponding packaged datastructure is shown in FIG. 21(b), wherein encrypted body part 120includes the redacted portions of the document and unencrypted body part122 contains the non-redacted portions of the document.

[0332] May Image Data

[0333] With reference to FIG. 22(a), map image data 230 may be availableat three resolutions (high, medium and low). The rules may specify thatpeople with a security clearance of greater than “top-secret” can viewthe data at high resolution, and all non-military users can only viewthe map data at low resolution. The corresponding packaged datastructure is shown in FIG. 22(b), wherein encrypted body part 120includes all data beyond low resolution (that is, those data requiredfor medium and high resolution) and unencrypted body part 122 containsthe low resolution data.

[0334] Global Positioning System (GPS) Software

[0335] With reference to FIG. 23(a), GPS software includes an outputroutine 232 which can produce output at various degrees of accuracy. Thedegree of accuracy depends on the security clearance of the user. Acorresponding packaged data structure is shown in FIG. 23(b), whereinencrypted body part 120 includes the resolution calculation routine 232and unencrypted body part 122 contains the other parts of the GPSsoftware 230.

[0336] Relationship Among Rule Sets

[0337] In some embodiments, the access mechanism may be supplied with aset of rules built-in. In such an access mechanism the built-in rulesmight include rules that can or cannot be overruled (made lessrestrictive) by rules provided with packaged data. These initial rulescan perform a number of functions and implement a number of policies. Asexamples, the access mechanisms provided in controlled output devicescan include built-in rules (that cannot be overruled). which limit thedevice only to being an output device; or, the access mechanism providedwith a VCR or a videodisc player can include rules (that cannot beoverruled) which require the device to enforce the copyright laws of thecountry in which the device is sold. Whether or not internal built-inrules can be overruled by rules provided externally can be specified inthe internal rules themselves.

[0338] While the present invention may be used to protect intellectualproperty by controlling access to that property, the mechanismsdiscussed herein are technical in nature and are independent of any formof legal protection—a purely technological approach has been presentedto controlling access to data. Indeed, the invention offers theintellectual property owner the opportunity to restrict access and useof his or her data beyond the protections that may be available in law.The protection offered by the present invention may be used to enforcerights in intellectual property whether the protection at law iscategorized as copyright, trade secret, contract, or something else. Thecost-benefit tradeoff of seeking protection at law must be made by thosewith a vested interest in the intellectual property.

[0339] Typical computer systems are implemented at various levels, eachlevel effectively defining a different virtual machine. Generally, eachlevel of implementation can access the levels below it. In many systemsit is desirable to have each level only access the level immediatelybelow it. In that way, various policies can be enforced.

[0340] Typically the higher level virtual machines are implemented insoftware and the lower level machines are implemented in hardware.However, there is no precise hardware/software boundary between levels.

[0341] With reference to FIG. 24, for example, a computer system has ahigh-level application environment (level L4). These applications invoke(call) operating system level (L3) processes to perform various systemfunctions. The-OS level (L3) processes in turn invoke lower-level BasicInput/Output System (BIOS) machine dependent instructions as required(level L2). Note that application level (L4) programs might be permittedto bypass the OS level (L3) and invoke BIOS level (L2) processesdirectly, thereby avoiding any OS level (L3) policy checking andenforcement.

[0342] As an example, an application (executing a level L4) programwhich wishes to open a particular named file would invoke an operatingsystem “open” procedure for that named file. The OS determines thelocation of the file (using, for example, an internal map between filenames and locations) and then invokes a lower level (L2) BIOS routine toperform the actual seek to the file and the open and read. However, theapplication program might be permitted to bypass the operating system's“open” process and invoke the BIOS routines directly.

[0343] It is desirable to implement the access control mechanisms of thepresent invention at a low level, preferably at or below the BIOS level(level L1). This prevents users from by-passing the access controlmechanisms of the invention and thereby circumventing the ruleenforcement.

[0344] Thus, a system for controlling access and distribution of digitalproperty is provided. One skilled in the art will appreciate that thepresent invention can be practiced by other than the describedembodiments, which are presented for purposes of illustration and notlimitation, and the present invention is limited only by the claims thatfollow.

What is claimed is:
 1. A method of controlling access to data comprisingthe steps of: protecting portions of the data; determining rulesconcerning access rights to the data; preventing unauthorized access tothe protected portions of the data other than in a non-useable form; andlimiting each and every access to the data only in accordance with therules as enforced by a mechanism protected by tamper detection.
 2. Amethod of distributing data for subsequent controlled use of the data bya user, the method comprising the steps of: protecting portions of thedata; preventing access to the protected portions of the data other thanin a non-useable form; determining rules concerning access rights to thedata; protecting the rules; and providing the protected portions of thedata and the protected rules; whereby the user is provided controlledaccess to the data only in accordance with the rules as enforced by amechanism protected by tamper detection.
 3. A method of distributingdata for subsequent controlled use of the data by a user, some of saiddata having access rules already associated therewith, the methodcomprising the steps of: protecting portions of the data; preventingaccess to the protected portions of the data other than in a non-useableform; determining rules concerning access rights to the data; combiningz,999 determined rules any rules previously associated z,999 data;protecting the combined rules; and providing the protected portions ofthe data and the protected combined rules; whereby the user is providedcontrolled access to the data only in accordance with the combined rulesas enforced by an access mechanism protected by tamper detection.
 4. Amethod of controlling secondary distribution of data, the methodcomprising the steps of: protecting portions of the data; preventingaccess to the protected portions of the data other than in a non-useableform; determining rules concerning access rights to the data; protectingthe rules; providing the protected portions of the data and theprotected rules to a device having an access mechanism protected bytamper detection; and limiting transmission of the protected portions ofthe data from the device only as protected data or in accordance withthe rules as enforced by the access mechanism.
 5. A method ofcontrolling access to data with a computer system having an input/output(i/o) system for transferring data to and from all i/o devices, said i/osystem being specific to said computer system, the method comprising thesteps of: protecting portions of the data; determining rules concerningaccess rights to the data; preventing access to the protected portionsof the data other than in a non-useable form; and limiting each andevery access to the data only in accordance with the rules as enforcedby said i/o system.
 6. A method of accessing data having protected dataportions and rules concerning access rights to the protected portions,the method comprising the steps of: preventing access to the protectedportions other than in a non-useable form; and limiting each and everyaccess to the data only in accordance with the rules as enforced by amechanism protected by tamper detection.
 7. A method as in any one ofclaims 1, 3, 4 and 5 wherein the step of protecting portions of the datacomprises the step of encrypting the portions of the data, and whereinthe step of preventing access prevents access to the encrypted portionsof the data other than in encrypted form.
 8. A method as in claim 7,wherein said step of encrypting encrypts the portions of the data with adata encrypting key, said data encrypting key having a correspondingdata decrypting key, said method further comprising the step of:encrypting the data encrypting key.
 9. A method as in claim 8, furthercomprising the step of: providing a decrypting key corresponding to saidkey encrypting key.
 10. A method as in any one of claims 2 and 3,wherein the step of protecting the rules comprises the step ofencrypting the rules.
 11. A method as in claim 10, wherein the step ofprotecting portions of the data comprises the step of encrypting theportions of the data, and wherein the step of preventing access preventsaccess to the encrypted portions of the data other than in encryptedform.
 12. A method as in claim 11, wherein the rules are protected suchthat they can be viewed and they cannot be changed.
 13. A method as inclaim 11, wherein the step of encrypting the rules comprises encryptingthe rules with a rule encrypting key, the step of encrypting theportions of the data comprises encrypting the portions of the data witha data encrypting key, the method further comprising the step ofencrypting the data encrypting key.
 14. A method as in any one of claims1, 2, 3, 4, 5 and 6, wherein the data represent at least one of softwaretext, numbers, graphics, audio, and video.
 15. A z,999 in any one ofclaims 1, 2, 3, 4, 5 and 6, wherein z,999 dicate which users are allowedto access the pi z,999 rtions of the data, the method further comprisingthe step of allowing the user access to a protected portion of the dataonly if the rules indicate that the user is allowed to access thatportion of the data.
 16. A method as in any one of claims 1, 2, 3, 4, 5and 6 wherein the rules indicate distribution rights of the data, themethod further comprising the step of: allowing distribution of the dataonly in accordance with the distribution rights indicated in the rules.17. A method as in any one of claims 1, 2, 3, 4, 5 and 6, wherein therules indicate access control rights of the user, the method furthercomprising the step of: allowing the user to access the data only inaccordance with the access control rights indicated in the rules.
 18. Amethod as in claim 17, wherein the access control rights include atleast one of: local display rights, printing rights, copying rights,execution rights, transmission rights, and modification rights.
 19. Amethod as in any one of claims 1, 2, 3, 4, 5 and 6, wherein the rulesindicate access control quantities, the method further comprising thestep of: allowing access to the data only in accordance with the accesscontrol quantities indicated in the z,999.
 20. A method z,999 claim 19,wherein the access control quantities include at least one of: a numberof allowed read-accesses to the data; an allowable size of a read-accessto the data; an expiration date of the data; an intensity of accesses tothe data; an allowed level of accuracy and fidelity; and an allowedresolution of access to the data.
 21. A method as in any one of claims1, 2, 3, 4, 5 and 6, wherein the rules indicate payment requirements,the method further comprising the step of: allowing access to the dataonly if the payment requirements indicated in the rules are satisfied.22. A method as in any one of claims 1, 2, 3, 4 and 6, furthercomprising the step of destroying data stored in the mechanism whentampering is detected.
 23. A method as in claim 5, further comprisingthe step of destroying data stored in the i/o system when tampering isdetected.
 24. A method as in any one of claims 2, 3 and 4, wherein thestep of providing provides the protected portions and the protectedrules together as a package.
 25. A method as in any one of claims 2, 3and 4, wherein the step of providing provides the protected portions andthe protected rules separately.
 26. A method as in any one of claims 2,3 and 4, further comprising the step of: providing unprotected portionsof the data.
 27. A method as in claim 24, further comprising the stepof: providing unprotected portions of the data in the package.
 28. Amethod as in any one of claims 1, 2, 3, 4, 5 and 6, wherein said rulesrelate to at least one of: characteristics of users; characteristics ofprotected data; and environmental characteristics.
 29. A method as inclaim 6, wherein the protected data portions are encrypted and whereinthe step of preventing access prevents access to the encrypted portionsof the data other than in encrypted form.
 30. A storage device, readableby a machine, tangibly embodying a package of data comprising: protectedportions of data; and rules concerning access rights to the data,whereby a user is provided controlled access to the data only inaccordance with the rules as enforced by a mechanism protected by tamperdetection.
 31. A device for controlling access to data, the datacomprising protected data portions and rules concerning access rights tothe data, the device comprising: storage means for storing the rules;and means for accessing the protected data portions only in accordancewith the rules, whereby user access to the protected data portions ispermitted only if the rules indicate that the user is allowed to accessthe portions of the data.
 32. A device as in claim 31, furthercomprising: means for storing data accessed by said means for accessing.33. A device for displaying images represented by data comprisingprotected data portions and rules concerning access rights to the data,the device comprising: a tamper detecting mechanism; means for storingthe rules; means for accessing the data only in accordance with therules, whereby user access to the protected data portions is permittedonly if the rules indicate that the user is allowed to access theportions of the data, said access being enforced by said tamperdetecting mechanism; and means for displaying the images represented bythe accessed data.
 34. A device for outputting images represented bydata comprising protected data portions and rules concerning accessrights to the data, the device comprising: a tamper detecting mechanism;means for storing the rules; means for accessing the data only inaccordance with the rules, whereby user access to the protected dataportions is permitted only if the rules indicate that the user isallowed to access the portions of the data, said access being enforcedby said tamper detecting mechanism; and means for outputting the imagesrepresented by the accessed data.
 35. A device for outputting an audiosignal represented by data comprising protected data portions and rulesconcerning access rights to the data, the device comprising: a tamperdetecting mechanism; means for storing the rules; means for accessingthe data only in accordance with the rules, whereby user access to theprotected data portions is permitted only if the rules indicate that theuser is allowed to access the portions of the data, said access beingenforced by said tamper detecting mechanism; and means for outputtingthe audio signal represented by the accessed data.
 36. A device foroutputting an output signal based on data comprising protected dataportions and rules concerning access rights to the data, the devicecomprising: a tamper detecting mechanism; means for storing the rules;means for accessing the data only in accordance with the rules, wherebyuser access to the protected data portions is permitted only if therules indicate that the user is allowed to access the portions of thedata, said access being enforced by said tamper detecting mechanism; andmeans for outputting the output signal represented by the accessed data.37. A device for generating an output signal corresponding to datacomprising protected data portions and rules concerning access rights tothe digital data, the device comprising: a tamper detecting mechanism;means for storing the rules; means for accessing the digital data onlyin accordance with the rules, whereby user access to the protected dataportions is permitted only if the rules indicate that the user isallowed to access the portions of the data, said access being enforcedby said tamper detecting mechanism; and means for generating the outputsignal from the accessed data.
 38. A device as in claim 31, wherein theprotected data portions are encrypted using a data encrypting key andwherein the data encrypting key is encrypted with a key encrypting key,the device further comprising: means for obtaining a data decrypting keycorresponding to the data encrypting key using a key decrypting keycorresponding to the key encrypting key; means for storing the datadecrypting key; and wherein said means for accessing comprises: meansfor decrypting the protected data portions using the data decryptingkey.
 39. A device as in any one of claims 33 and 34, wherein said imagescomprise at least one of text data, numbers, graphics data, and videodata.
 40. A device as in claim 31, further comprising: tamper detectingmechanism for detecting tampering with said device.
 41. A device as inclaim 38, further comprising: tamper detecting mechanism for detectingtampering with said device.
 42. A device as in claim 41, wherein saidtamper detection means comprises: means for destroying data includingkeys and other cryptographic variables stored in the device whentampering is detected.
 43. A device as in any one of claims 33, 34, 35,36, 37, 39 and 40, wherein said tamper detecting mechanism comprises:means for destroying data stored in the device when tampering isdetected.
 44. A device as in any one of claims 36 and 37, wherein theoutput signal comprises at least one of text, numbers, graphics, audioand video.
 45. A device for distributing data for subsequent controlleduse of the data by a user, the device comprising: means for protectingportions of the data; means for preventing access to the protectedportions of the data other than in a non-useable form; means fordetermining rules concerning access rights to the data; means forprotecting the rules; and means providing the protected portions of thedata and the protected rules; whereby a user is provided controlledaccess to the data only in accordance with the rules as enforced by anaccess mechanism protected by tamper protection.
 46. A device fordistributing data for subsequent controlled use of the data by a user,some of said data having access rules already associated therewith, thedevice comprising: means for protecting portions of the data; means forpreventing access to the protected portions of the data other than in anon-useable form; means for determining rules concerning access rightsto the data; means for combining with said determined rules any rulespreviously associated with the data; means for protecting the combinedrules; and means for providing the protected portions of the data andthe protected combined rules; whereby the user is provided controlledaccess to the data only in accordance with the combined rules asenforced by an access mechanism protected by tamper detection.
 47. Adevice as in any one of claims 45 and 46, wherein the means forproviding provides the protected portions and the protected rulestogether as a package.
 48. A device as in any one of claims 45 and 46,wherein the means for providing provides the protected portions and theprotected rules separately.
 49. A device as in any one of claims 45 and46, wherein the means for protecting portions of the data comprisesmeans for encrypting the portions of the data, and wherein the means forpreventing access prevents access to the encrypted portions of the dataother than in encrypted form.
 50. A device as in any one of claims 45and 46, wherein the means for protecting the rules comprises means forencrypting the rules.
 51. A device as in claim 50, wherein the means forprotecting portions of the data comprises means for encrypting theportions of the data, and wherein the means for preventing accessprevents access to the encrypted portions of the data other than inencrypted form.
 52. A device as in any one of claims 45 and 46, whereinthe rules are protected such that they can be viewed and they cannot bechanged.
 53. A device as in claim 51, wherein the means for encryptingthe rules comprises means for encrypting the rules with a ruleencrypting key, the means for encrypting the portions of the datacomprises means for encrypting the portions of the data with a dataencrypting key, the device further comprising means for encrypting thedata encrypting key.
 54. A device as in any one of claims 45 and 46,further comprising means for providing unprotected portions of the data.55. A device as in claim 47, further comprising: means for providingunprotected portions of the data in the package.
 56. A device as in anyone of claims 45 and 46, further comprising: means for detectingtampering with the access mechanism; and means for destroying datastored in the access mechanism when tampering is detected by the tamperdetecting means.
 57. A device as in any one of claims 30, 31, 33-37, 45and 46, wherein said rules relate to at least one of: characteristics ofusers; characteristics of protected data; and environmentalcharacteristics.
 58. A device as in any one of claims 30, 31, 33-37, 45and 46, wherein the data represent at least one of software, text,numbers, graphics, audio, and video.
 59. A device as in any one ofclaims 30, 31, 33-37, 45 and 46, wherein the rules indicate accesscontrol rights of the user, the device further comprising: means forallowing the user to access the data only in accordance with the accesscontrol rights indicated in the rules.
 60. A device as in claim 59,wherein the access control rights include at least one of: local displayrights, printing rights, copying rights, execution rights, transmissionrights, and modification rights.
 61. A device as in any one of claims30, 31, 33-37, 45 and 46, wherein the rules indicate access controlquantities, the device further comprising: means allowing the user toaccess the data only in accordance with the access control quantitiesindicated in the rules.
 62. A device as in claim 61, wherein the accesscontrol quantities include at least one of: a number of allowedread-accesses to the data; an allowable size of a read-access to thedata; an expiration date of the data; an intensity of accesses to thedata; an allowed level of accuracy and fidelity; and an allowedresolution of access to the data.
 63. A process control systemcomprising a device for controlling access to data, the data comprisingprotected data portions and rules concerning access rights to the data,the device comprising: a tamper detecting mechanism; means for storingthe rules; and means for accessing the protected data portions only inaccordance with the rules, whereby output of protected data portions ispermitted only in such manner as is permitted by the rules, saidaccessing being enforced by said tamper detecting mechanism.
 64. Ageneral purpose computer system comprising a device for controllingaccess to data, the data comprising protected data portions and rulesconcerning access rights to the data, the device comprising: a tamperdetecting mechanism; storage means for storing the rules; and means foraccessing the protected data portions only in accordance with the rules,whereby user access to the protected data portions is permitted only ifthe rules indicate that the user is allowed to access the portions ofthe data, said access being enforced by said tamper detecting mechanism.65. A computer system as in claim 64, wherein said tamper detectingmechanism comprises: means for destroying data, rules and cryptographicvariables stored in the device when tampering is detected.
 66. Acomputer system as in claim 64, wherein the protected data portions areencrypted using a data encrypting key and wherein the data encryptingkey is encrypted with a key encrypting key, the computer furthercomprising: means for obtaining a data decrypting key corresponding tothe data encrypting key using a key decrypting key corresponding to thekey encrypting key; means for storing the data decrypting key; andwherein said means for accessing comprises: means for decrypting theprotected data portions using the data decrypting key.
 67. A computersystem comprising: an input/output (i/o) system for transferring data toand from all i/o devices, said i/o system being specific to saidcomputer system; means for protecting portions of the data; means fordetermining rules concerning access rights to the data; means forpreventing access to the protected portions of the data other than in anon-useable form; and means for limiting each and every access to thedata only in accordance with the rules as enforced by said i/o system.68. A system as in claim 67, further comprising means for destroyingdata, including cryptographic variables, stored in the i/o system whentampering is detected.
 69. A system as in any one of claims 65 and 67,wherein the data represent at least one of software, text, numbers,graphics, audio, and video.
 70. A system as in claim 67, wherein themeans for protecting portions of the data comprises means for encryptingthe portions of the data, and wherein the means for preventing accessprevents access to the encrypted portions of the data other than inencrypted form.
 71. A computer system as in claim 67, wherein the rulesindicate which users are allowed to access the protected portions of thedata, the system further comprising: means for allowing the user accessto a protected portion of the data only if the rules indicate that theuser is allowed to access that portion of the data.
 72. A computersystem as in claim 67, wherein the rules indicate distribution rights ofthe data, the system further comprising: means for allowing the user todistribute the data only in accordance with the distribution rightsindicated in the rules.
 73. A system as in claim 67, wherein the rulesindicate access control rights of the user, the system furthercomprising: means for allowing the user to access the data only inaccordance with the access control rights indicated in the rules.
 74. Asystem as in claim 73, wherein the access control rights include atleast one of: local display rights, printing rights, copying rights,execution rights, transmission rights, and modification rights.
 75. Asystem as in claim 67, wherein the rules indicate access controlquantities, the system further comprising: means allowing the user toaccess the data only in accordance with the access control quantitiesindicated in the rules.
 76. A system as in claim 75, wherein the accesscontrol quantities include at least one of: a number of allowedread-accesses to the data; an allowable size of a read-access to thedata; an expiration date of the data; an intensity of accesses to thedata; an allowed level of accuracy and fidelity; and an allowedresolution of access to the data.
 77. A system as in claim 70, whereinsaid means for encrypting encrypts the portions of the data with a dataencrypting key, said data encrypting key having a corresponding datadecrypting key, said system further comprising: means for encrypting thedata encrypting key with a key encrypting key.
 78. A system as in claim77, further comprising: means for providing a decrypting keycorresponding to said key encrypting key.
 79. A system as in claim 75,wherein the rules indicate.payment requirements, the system furthercomprising: means for allowing the user to access the data only if thepayment requirements indicated in the rules are satisfied.
 80. A systemas in any one of claims 63, 64, 66 and 67, wherein said rules relate toat least one of: characteristics of users; characteristics of protecteddata; and environmental characteristics.